www.securityportal.com has published a Denial
of Service FAQ which can provide you with background information.
TechRepublic has published Security on IP Networks – Countering Denial-of-Service (DoS)
Attacks.
www.windows2000security.com has published a Distributed
Denial of Service Defense Tactics .
SANS Institute has published a Analysis of the “Shaft” Distributed Denial of Service Tool .
Microsoft published how to harden NT’s tcpip stack against these attacks. The
registry hacks documented here are taken from Microsoft sources.
Synattack protection involves reducing the amount of retransmissions for the
SYN-ACKS, which will reduce the time for which resources have to remain
allocated. The allocation of route cache entry resources is delayed until a
connection is made. If synattackprotect = 2, then the connection indication to
AFD is delayed until the three-way handshake is completed. Also note that the
actions taken by the protection mechanism only occur if TcpMaxHalfOpen and
TcpMaxHalfOpenRetried settings are exceeded. Apply the following registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: SynAttackProtect
Type: REG_DWORD
Value: 0
no syn attack protection
Value: 1
reduced retransmission retries and delayed RCE ( route
cache entry ) creation if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings
are satisfied.
Value: 2
adds delayed indication to
Winsock to setting of 1
When the system finds itself under attack the following options on any socket
can no longer be enabled : Scalable windows (RFC 1323) and per adapter
configured TCP parameters ( Initial RTT, window size ). This is because when
protection is functioning the route cache entry is not queried before the
SYN-ACK is sent and the Winsock options are not available at this stage of the
connection.
TcpMaxHalfOpen parameter controls the number of connections in the SYN-RCVD
state allowed before SYN-ATTACK protection begins to operate. If
SynAttackProtect is set to 1, ensure that this value is lower than the AFD
listen backlog on the port you want to protect.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: TcpMaxHalfOpen
Type: REG_DWORD
Value: 100
Professional, Server
Value: 500
Advanced Server
TcpMaxHalfOpenRetried parameter controls the number of connections in the
SYN-RCVD state for which there has been at least one retransmission of the SYN
sent, before SYN-ATTACK attack protection begins to operate.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: TcpMaxHalfOpenRetried
Type: REG_DWORD
Value: 80
Professional, Server
Value: 400
Advanced Server
EnablePMTUDiscovery : When this parameter is set to 1 (True) TCP attempts to
discover the Maximum Transmission Unit ( MTU or largest packet size ) over the
path to a remote host. By discovering the Path MTU and limiting TCP segments to
this size, TCP can eliminate fragmentation at routers along the path that
connect networks with different MTUs. Fragmentation adversely affects TCP
throughput and network congestion. Setting this parameter to 0 causes an MTU of
576 bytes to be used for all connections that are not to hosts on the local
subnet.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnablePMTUDiscovery
Type: REG_DWORD
Value: 1
recommended
Value: 0
default
NoNameReleaseOnDemand : parameter determines whether the computer releases
its NetBIOS name when it receives a name-release request from the network. It
was added to allow the administrator to protect the machine against malicious
name-release attacks.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: NoNameReleaseOnDemand
Type: REG_DWORD
Value: 1
recommended
Value: 0
default
EnableDeadGWDetect : When this parameter is 1, TCP is allowed to perform
dead-gateway detection. With this feature enabled, TCP may ask IP to change to a
backup gateway if a number of connections are experiencing difficulty. Backup
gateways may be defined in the Advanced section of the TCP/IP configuration
dialog in the Network Control Panel.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnableDeadGWDetect
Type: REG_DWORD
Value: 0
recommended
Value: 1
default
KeepAliveTime : parameter controls how often TCP attempts to verify that an
idle connection is still intact by sending a keep-alive packet. If the remote
system is still reachable and functioning, it acknowledges the keep-alive
transmission. Keep-alive packets are not sent by default. This feature may be
enabled on a connection by an application.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: KeepAliveTime
Type: REG_DWORD
Value: 300,000
recommended
Value: 7,200,000 (two hours)
default
PerformRouterDiscovery : parameter controls whether Windows 2000 attempts to
perform router discovery per RFC 1256 on a per-interface basis.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: PerformRouterDiscovery
Type: REG_DWORD
Value: 0
recommended
Value: 1
enabled
Value: 2
enable only if
DHCP sends the router discover option
EnableICMPRedirects : parameter controls whether Windows 2000 will alter its
route table in response to ICMP redirect messages that are sent to it by network
devices such as a routers.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnableICMPRedirects
Type: REG_DWORD
Value: 0
recommended
Value: 1
default
Taken from Microsoft kb article Security
Considerations for Network Attacks
