Modify Win2k Registry to resist denial of service

Speaking of DoS and DDoS from the right perspective

I believe that everyone will not be unfamiliar with these two words, yes, Denial of Service, and distributed denial of service attacks. (Distributed Denial of Service).

The so-called denial of service means that after a specific attack occurs, the attacked object cannot provide the proper service in time. For example, the website service (HTTP Service) should be provided instead of providing the website service, and the email server ( SMTP, POP3) can not provide the function of sending and receiving mail, etc. Basically, blocking service attacks usually utilize a large number of network data packets to smash the network and host of the other party, so that normal users cannot obtain timely service from the host.

Distributed denial of service, in short, consumes available systems and network bandwidth with massive data packets that far exceed the target processing power, causing network services.

Perhaps it is related to the media's excessive attention. DoS attacks, especially DDoS attacks, seem to be popular overnight. The network administrators of large and small, as long as the server is faulty, are very excited. Shouting "I was DDoS!", the face seems to write incomparable glory and pride.

In fact, there are not many DDoS in our real world. After all, the resources required to launch a DDoS attack are very many, but the actual attacks continue to happen. Inside, the vast majority are ordinary denial of service attacks. Ordinary level of attacks, how to protect, has become the most headaches of many network administrators, so I have to ask around, the results are often the same, "buy our hardware firewall."

Hardware firewalls, including dedicated anti-denial-of-service attack products, are really good, but the basic price is very expensive, although the effect is good, from the perspective of investment and investment protection, it is too much.

In fact, from the perspective of the operating system, there are a lot of functions hidden in it, but many of them need us to slowly explore. Here I will give you a brief introduction on how to modify the registry in the Win2000 environment to enhance the system's anti-DoS capabilities.

Details:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]

Check for invalid gateways. When the server is set up with multiple gateways, the system will try to connect to the second gateway when the network is not smooth, and the network can be optimized by turning it off.

"EnableDeadGWDetect"=dword:00000000

Disable response to ICMP redirect messages. Such packets may be used for attacks, so the system should refuse to accept ICMP redirect messages.

"EnableICMPRedirects"=dword:00000000

The NETBIOS name is not allowed to be released. When the attacker issues a request to query the server NETBIOS name, the server can be disabled.

Note that the system must be installed above SP2

"NoNameReleaseOnDemand"=dword:00000001

Send verification keep-alive packets. This option determines how long the TCP interval is to determine that the current connection is still connected. If the value is not set, the system checks whether the TCP has an idle connection every 2 hours. The setting time is 5 minutes.

"KeepAliveTime"=dword:000493e0

Maximum packet length path detection is prohibited. When the value is 1, the size of the data packet that can be transmitted is automatically detected, which can be used to improve the transmission efficiency. If the fault occurs or is safe, the value of the item is 0, indicating that the fixed MTU value is 576 bytes.

"EnablePMTUDiscovery"=dword:00000000

Start syn attack protection. The default value is 0, which means that attack protection is not enabled. If the value is 1 and 2, the syn attack protection is enabled. After the setting is 2, the security level is higher. If the attack is considered to be an attack, you need to use the following TcpMaxHalfOpen and The condition set by the TcpMaxHalfOpenRetried value triggers the start. It should be noted here that NT4.0 must be set to 1, and set to 2 will cause the system to restart under a special packet.

"SynAttackProtect"=dword:00000002

The number of semi-joins that are allowed to open at the same time. The so-called semi-join, which means that the TCP session is not fully established, you can see the SYN_RCVD state with the netstat command. Here we use the Microsoft recommended value, the server is set to 100, and the advanced server is set to 500. The suggestion can be set slightly smaller.

"TcpMaxHalfOpen"=dword:00000064

Determine if there is a trigger point for the attack. Here we use the Microsoft recommended value, the server is 80, and the advanced server is 400.

"TcpMaxHalfOpenRetried"=dword:00000050

Set the time to wait for SYN-ACK. The default value is 3, which defaults to 45 seconds. The item value is 2 and the elapsed time is 21 seconds. The item value is 1 and the elapsed time is 9 seconds. The minimum can be set to 0, which means no waiting, and the consumption time is 3 seconds. This value can be modified based on the size of the attack. Microsoft site security recommendation is 2.

"TcpMaxConnectResponseRetransmissions"=dword:00000001

Sets the number of times TCP retransmits a single data segment. The default value is 5, which defaults to 240 seconds. Microsoft site security is recommended as 3.

"TcpMaxDataRetransmissions"=dword:00000003

Set the critical point of syn attack protection. When the available backlog becomes 0, this parameter is used to control the opening of the syn attack protection. The Microsoft site security recommendation is 5.

"TCPMaxPortsExhausted"=dword:00000005

Disable IP source routing. If the default value is 1, it means that the source route packet is not forwarded. If the value of the entry is 0, it means all forwarding. If it is set to 2, it means discarding all the accepted source routing packets. The Microsoft site security recommendation is 2.

"DisableIPSourceRouting"=dword:0000002

Limit the maximum time in the TIME_WAIT state. The default is 240 seconds, the minimum is 30 seconds, and the maximum is 300 seconds. It is recommended to set to 30 seconds.

"TcpTimedWaitDelay"=dword:0000001e

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters]

Increase the increase in NetBT connection blocks. The default is 3, the range is 1-20. The larger the value, the higher the performance when the connection is more. Each connection block consumes 87 bytes.

"BacklogIncrement"=dword:00000003

The maximum number of NetBT connections. The range is 1-40000, set to 1000 here. The larger the value, the more connections are allowed when there are more connections.

"MaxConnBackLog"=dword:000003e8

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Afd\\Parameters]

Configure to activate the dynamic Backlog. For systems with heavy network or SYN attacks, it is recommended to set it to 1, indicating that dynamic backlogs are allowed.

"EnableDynamicBacklog"=dword:00000001

Configure a minimal dynamic Backlog. The default value is 0, which indicates the minimum number of free connections that the dynamic Backlog allocates. When the number of free connections is less than this number, the free connections are automatically assigned. The default value is 0. For systems with heavy network or SYN attacks, the recommended setting is 20.

"MinimumDynamicBacklog"=dword:00000014

Maximum dynamic Backlog. Represents the definition of the maximum number of "quasi" & "connections", mainly depends on the size of the memory, the theoretical maximum of 5,000 per 32M memory can be increased by 20,000.

"MaximumDynamicBacklog"=dword:00002e20

Add free connection data each time. The default value is 5, which means that the number of free connections added each time is defined. For systems with heavy network or vulnerable to SYN attacks, it is recommended to set it to 10.

"DynamicBacklogGrowthDelta"=dword:0000000a

The following sections need to be manually modified according to the actual situation

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]

Enable security filtering on the network card

"EnableSecurityFilters"=dword:00000001

The number of TCP connections opened at the same time, which can be controlled according to the situation.

"TcpNumConnections"=

This parameter controls the size limit of the TCP header table. On machines with a lot of RAM, increasing this setting can improve responsiveness during a SYN attack.

"TcpMaxSendFree"=

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters

\\Interfaces\\{Own NIC Interface}]

Route discovery is disabled. ICMP route advertisement packets can be used to add routing table records, which can cause attacks, so route discovery is prohibited.

"PerformRouterDiscovery "=dword:00000000