HOW TO TWEAK THE REGISTRY SETTINGS FOR MAXIMUM PROTECTION FROM NETWORK ATTACK
The following registry settings will help to increase the resistance of the NT or Windows 2000 network stack to network denial of service attacks. All of the TCP/IP parameters are registry values located under the registry key:
HKEY_LOCAL_MACHINE
\SYSTEM
\CurrentControlSet
\Services:
\Tcpip
\Parameters
1. SynAttackProtect
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD
c.) Valid Range: 0, 1, 2
0 (no synattack protection)
1 (reduced retransmission retries and delayed RCE (route cache entry) creation if
the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are satisfied.)
2 (in addition to 1 a delayed indication to Winsock is made.)
Note: When the system finds itself under attack the following options on any socket can no longer be enabled : Scalable windows (RFC 1323) and per adapter configured TCP parameters (Initial RTT, window size). This is because when protection is functioning the route cache entry is not queried before the SYN-ACK is sent and the Winsock options are not available at this stage of the connection.
d.) Default: 0 (False)
e.) Recommendation: 2
f.) Description: Synattack protection involves reducing the amount of retransmissions for the SYN-ACKS, which will reduce the time for which resources have to remain allocated. The allocation of route cache entry resources is delayed until a connection is made. If synattackprotect = 2, then the connection indication to AFD is delayed until the three-way handshake is completed. Also note that the actions taken by the protection mechanism only occur if TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are exceeded
2. TcpMaxHalfOpen
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD—Number
c.) Valid Range: 100–0xFFFF
d.) Default: 100 (Professional, Server), 500 (advanced server)
e.) Recommendation: default
f.) Description: This parameter controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection begins to operate. If SynAttackProtect is set to 1, ensure that this value is lower than the AFD listen backlog on the port you want to protect(see Backlog Parameters for more information). See the SynAttackProtect parameter for more details
3. TcpMaxHalfOpenRetried
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD—Number
c.) Valid Range: 80–0xFFFF
d.) Default: 80 (Professional, Server), 400 (Advanced Server)
e.) Recommendation: default
f.) Description: This parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate. See the SynAttackProtect parameter for more details.
4. EnablePMTUDiscovery
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD—Boolean
c.) Valid Range: 0, 1 (False, True)
d.) Default: 1 (True)
e.) Recommendation: 0
f.) Description: When this parameter is set to 1 (True) TCP attempts to discover the Maximum Transmission Unit (MTU or largest packet size) over the path to a remote host. By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion. Setting this parameter to 0 causes an MTU of 576 bytes to be used for all connections that are not to hosts on the local subnet
5. NoNameReleaseOnDemand
a.) Key: Netbt\Parameters
b.) Value Type: REG_DWORD—Boolean
c.) Valid Range: 0, 1 (False, True)
d.) Default: 0 (False)
e.) Recommendation: 1
f.) Description: This parameter determines whether the computer releases its NetBIOS name when it receives a name-release request from the network. It was added to allow the administrator to protect the machine against malicious name-release attacks
6. EnableDeadGWDetect
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD—Boolean
c.) Valid Range: 0, 1 (False, True)
e.) Default: 1 (True)
f.) Recommendation: 0
g.) Description: When this parameter is 1, TCP is allowed to perform dead-gateway detection. With this feature enabled, TCP may ask IP to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways may be defined in the Advanced section of the TCP/IP configuration dialog in the Network Control Panel. See the "Dead Gateway Detection" section in this paper for details
7. KeepAliveTime
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD—Time in milliseconds
c.) Valid Range: 1–0xFFFFFFFF
d.) Default: 7,200,000 (two hours)
e.) Recommendation: 300,000
f.) Description: The parameter controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote system is still reachable and functioning, it acknowledges the keep-alive transmission. Keep-alive packets are not sent by default. This feature may be enabled on a connection by an application
8. PerformRouterDiscovery
a.) Key: Tcpip\Parameters\Interfaces b.) Value Type: REG_DWORD
c.) Valid Range: 0,1,2
0 (disabled)
1 (enabled)
2 (enable only if DHCP sends the router discover option)
d.) Default: 2, DHCP-controlled but off by default.
e.) Recommendation: 0
f.) Description: This parameter controls whether Windows 2000 attempts to perform router discovery per RFC 1256 on a per-interface basis. See also SolicitationAddressBcast
9. EnableICMPRedirects
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD
c.) Valid Range: 0, 1 (False, True)
d.) Default: 1 (True)
e.) Recommendation: 0 (False)
f.) Description: This parameter controls whether Windows 2000 will alter its route table in response to ICMP redirect messages that are sent to it by network devices such as a routers.
RESULTS WILL VARY
No matter how good your systems may be, they're only as effective as what you put into them.
HKEY_LOCAL_MACHINE
\SYSTEM
\CurrentControlSet
\Services:
\Tcpip
\Parameters
1. SynAttackProtect
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD
c.) Valid Range: 0, 1, 2
0 (no synattack protection)
1 (reduced retransmission retries and delayed RCE (route cache entry) creation if
the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are satisfied.)
2 (in addition to 1 a delayed indication to Winsock is made.)
Note: When the system finds itself under attack the following options on any socket can no longer be enabled : Scalable windows (RFC 1323) and per adapter configured TCP parameters (Initial RTT, window size). This is because when protection is functioning the route cache entry is not queried before the SYN-ACK is sent and the Winsock options are not available at this stage of the connection.
d.) Default: 0 (False)
e.) Recommendation: 2
f.) Description: Synattack protection involves reducing the amount of retransmissions for the SYN-ACKS, which will reduce the time for which resources have to remain allocated. The allocation of route cache entry resources is delayed until a connection is made. If synattackprotect = 2, then the connection indication to AFD is delayed until the three-way handshake is completed. Also note that the actions taken by the protection mechanism only occur if TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are exceeded
2. TcpMaxHalfOpen
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD—Number
c.) Valid Range: 100–0xFFFF
d.) Default: 100 (Professional, Server), 500 (advanced server)
e.) Recommendation: default
f.) Description: This parameter controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection begins to operate. If SynAttackProtect is set to 1, ensure that this value is lower than the AFD listen backlog on the port you want to protect(see Backlog Parameters for more information). See the SynAttackProtect parameter for more details
3. TcpMaxHalfOpenRetried
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD—Number
c.) Valid Range: 80–0xFFFF
d.) Default: 80 (Professional, Server), 400 (Advanced Server)
e.) Recommendation: default
f.) Description: This parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate. See the SynAttackProtect parameter for more details.
4. EnablePMTUDiscovery
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD—Boolean
c.) Valid Range: 0, 1 (False, True)
d.) Default: 1 (True)
e.) Recommendation: 0
f.) Description: When this parameter is set to 1 (True) TCP attempts to discover the Maximum Transmission Unit (MTU or largest packet size) over the path to a remote host. By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion. Setting this parameter to 0 causes an MTU of 576 bytes to be used for all connections that are not to hosts on the local subnet
5. NoNameReleaseOnDemand
a.) Key: Netbt\Parameters
b.) Value Type: REG_DWORD—Boolean
c.) Valid Range: 0, 1 (False, True)
d.) Default: 0 (False)
e.) Recommendation: 1
f.) Description: This parameter determines whether the computer releases its NetBIOS name when it receives a name-release request from the network. It was added to allow the administrator to protect the machine against malicious name-release attacks
6. EnableDeadGWDetect
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD—Boolean
c.) Valid Range: 0, 1 (False, True)
e.) Default: 1 (True)
f.) Recommendation: 0
g.) Description: When this parameter is 1, TCP is allowed to perform dead-gateway detection. With this feature enabled, TCP may ask IP to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways may be defined in the Advanced section of the TCP/IP configuration dialog in the Network Control Panel. See the "Dead Gateway Detection" section in this paper for details
7. KeepAliveTime
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD—Time in milliseconds
c.) Valid Range: 1–0xFFFFFFFF
d.) Default: 7,200,000 (two hours)
e.) Recommendation: 300,000
f.) Description: The parameter controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote system is still reachable and functioning, it acknowledges the keep-alive transmission. Keep-alive packets are not sent by default. This feature may be enabled on a connection by an application
8. PerformRouterDiscovery
a.) Key: Tcpip\Parameters\Interfaces b.) Value Type: REG_DWORD
c.) Valid Range: 0,1,2
0 (disabled)
1 (enabled)
2 (enable only if DHCP sends the router discover option)
d.) Default: 2, DHCP-controlled but off by default.
e.) Recommendation: 0
f.) Description: This parameter controls whether Windows 2000 attempts to perform router discovery per RFC 1256 on a per-interface basis. See also SolicitationAddressBcast
9. EnableICMPRedirects
a.) Key: Tcpip\Parameters
b.) Value Type: REG_DWORD
c.) Valid Range: 0, 1 (False, True)
d.) Default: 1 (True)
e.) Recommendation: 0 (False)
f.) Description: This parameter controls whether Windows 2000 will alter its route table in response to ICMP redirect messages that are sent to it by network devices such as a routers.
RESULTS WILL VARY
No matter how good your systems may be, they're only as effective as what you put into them.
posted by Chancellor Bear at 8:19 PM
0 Comments:
Post a Comment
<< Home