A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.
To protect the network against SYN attacks, follow these generalized steps, explained later in this document:
Enable SYN attack protection
Set SYN protection thresholds
Set additional protections
The named value to enable SYN attack protection is located beneath the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services .
Value name : SynAttackProtect
Recommended value: 2
Valid values: 0 “2
Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.
The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services . These keys and values are:
Value name: TcpMaxPortsExhausted
Recommended value: 5
Valid values: 0 “65535
Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.
Value name: TcpMaxHalfOpen
Recommended value data: 500
Valid values: 100 “65535
Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.
Value name: TcpMaxHalfOpenRetried
Recommended value data: 400
Valid values: 80 “65535
Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.
All the keys and values in this section are located under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services . These keys and values are:
Value name: TcpMaxConnectResponseRetransmissions
Recommended value data: 2
Valid values: 0 “255
Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.
Value name: TcpMaxDataRetransmissions
Recommended value data: 2
Valid values: 0 “65535
Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.
Value name: EnablePMTUDiscovery
Recommended value data:
Valid values: 0, 1
Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack. Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.
Value name: KeepAliveTime
Recommended value data: 300000
Valid values: 80 “4294967295
Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep- alive packet.
Value name: NoNameReleaseOnDemand
Recommended value data: 1
Valid values: 0, 1
Description: Specifies to not release the NetBIOS name of a computer when it receives a name-release request.
Use the values that are summarized in Table 1 for maximum protection.
Value Name | Value (REG_DWORD) |
---|---|
SynAttackProtect | 2 |
TcpMaxPortsExhausted | 1 |
TcpMaxHalfOpen | 500 |
TcpMaxHalfOpenRetried | 400 |
TcpMaxConnectResponseRetransmissions | 2 |
TcpMaxDataRetransmissions | 2 |
EnablePMTUDiscovery |
|
KeepAliveTime | 300000 (5 minutes) |
NoNameReleaseOnDemand | 1 |