Endpoint Protection

 View Only
Back to Library

How to combat DoS attacks without any firewall in Windows? 

Aug 17, 2010 04:08 AM


As you all might know, DoS is typically a kind of attack where the attacker repeatedly send SYN packets to you. When you have a Firewall or IPS you can be sure of protection. Without a Firewall, you can still enable protection and I will be speaking more about this in this post.

You should have heard about the TCP/IP service in Windows. By making a change in TCP/IP service we are going to enable DoS protection.



  1. Run regedit.exe
  2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry subkey.
  3. From the Edit menu, select New, DWORD Value.
  4. Enter the name TcpMaxHalfOpen, then press Enter.
  5. Double-click the new value, set it to 100, then click OK.
  6. Enter the name TcpMaxHalfOpenRetried, then press Enter.
  7. Double-click the new value, set it to 80, then click OK.
  8. Enter the name SynAttackProtect, then press Enter.
  9. Double-click the new value, set it to 1, then click OK.
  10. Reboot the machine.

When SynAttackProtect value is 0, it offers no protection. Value 1 indicate to delay the response Notification untill three way handshake is complete by the received by the SYN packet. By default, this is not invoke untill it exceeds the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values. The values TcpMaxHalfOpen and TcpMaxHalfOpenRetried could be changed, and I strongly recommend to test with different settings in your environment, then choose the best ones.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Aug 30, 2010 01:44 AM

Pls refer

http://technet.microsoft.com/en-us/library/cc722931.aspx

Migration User
Aug 30, 2010 01:18 AM


You could refer another article that explains this in detail,
https://www-secure.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks

I am sorry, I don't have an answer for your second question - Why Microsoft din't make it default setting

Migration User
Aug 30, 2010 01:15 AM

Vishal,
To understand how TcpMaxHalfOpen and TcpMaxHalfOpenRetried affects the DoS protection is beyond the scope of my article. Anybody who understands DoS will understand this term as it is self-explanatory. And yes, SEP is not required to turn on this feature.

Migration User
Aug 29, 2010 01:07 PM

Very Informative Prashant,Excellent work.

Would like to see more articles from you

Hogan Chen
Aug 21, 2010 06:50 PM

Could you detail a little how this will work? if we can protect DoS with a such a simple change, why not Microsoft will make it in the ssytem default setting?
Thanks

Migration User
Aug 21, 2010 11:30 AM

Good job Prashant

Migration User
Aug 21, 2010 11:29 AM

Hey Vishal , what does Exoplanation means .

Migration User
Aug 20, 2010 07:21 AM

Hi,
Could you  please exactly explain, what does adding these registry entires do?

"Value 1 indicate to delay the response Notification untill three way handshake is complete by the received by the SYN packet. By default, this is not invoke untill it exceeds the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values"

I can understand that, setting the  value 1 for SYN packet means that you are protected. But then, need to know, how does it affect what values are set for TcpMaxHalfOpen and TcpMaxHalfOpenRetried?

Exoplanation is greatly appreciated...

Also looks like these are the windows operating system settings. Even if you do not have SEP will it still prevent Dos attack?????

Related Entries and Links

No Related Resource entered.