How to protect your Windows server from SYN flood?

(Is your server's network not living up to its potential? Order a server from us with promo code PACKETS for 15% off your first invoice)

SYN flooding attack protection of TCP/IP (SYNAttackProtect) for Windows Servers was added as an optional security measure in Windows 2000. In that OS version, network administrators can use a host of registry keys to configure this security feature. In the Windows 2003 Service Pack 1 update however, SYN flooding attack protection was no longer optional. It has been enabled by default and could not be disabled.

  • Windows Server 2003 R2 – SYN flooding attack protection is enabled by default
  • Windows Server 2008 – SYN flooding attack protection is enabled by default but there are other registry configurations independent sources recommend to catch spoofed traffic that may slip from SYNAttackProtect:


IMPORTANT

  1. Back up your server and registry settings before you begin with any registry edits.
  2. Test the changes in a non-production environment before you apply them on your production servers.


To begin, open your registry editor and go to this registry path:

HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters

Change the values of the following data to set up the specified rules:

Rules Value Name Data Type Set Value To
To disable IP-source routed packets and stop them from being accepted DisableIPSourceRouting REG_DWORD 2
To disable all IP forwarding between interfaces IPEnableRouter REG_DWORD 0
To enable the SYN flooding attack protect function when three (3) half-open connections are detected SynAttackProtect REG_DWORD 3
To set any SYN/ACK handshake to time out at three (3) seconds and drop the connection at nine (9) seconds TcpMaxConnectResponseRetransmissions REG_DWORD 1
To limit the total number of half-open connections allowed by the system at any given time TcpMaxHalfOpen REG_DWORD 500
To fix the number of half-open connections allowed by the system at any given time TcpMaxHalfOpenRetried REG_DWORD 400

 

  • Windows Server 2008 R2 - To check if the SYN flooding attack protection is running, check your Event Trace Log (ETL) files and find the relevant TCP/IP entry. Use an elevated command prompt to run the said trace log:

     netsh trace start capture=yes provider=Microsoft-Windows-TCPIP level=0x05 tracefile=TCPIP.etl

To stop the ETL trace, run:

     netsh trace stop

  • 87 Корисниците го најдоа ова како корисно
Дали Ви помогна овој одговор?

Понудени резултати

Advanced Network Troubleshooting: Using traceroute

(Is your server's network not living up to its potential? Order a server from us with promo code...

Advanced Network Troubleshooting: Using Telnet

(Is your server's network not living up to its potential? Order a server from us with promo code...

Advanced Network Troubleshooting: Using My Traceroute (MTR)

(Is your server's network not living up to its potential? Order a server from us with promo code...

Basic Network Troubleshooting

(Is your server's network not living up to its potential? Order a server from us with promo code...

Basic Performance Analysis

(Is your server not living up to its potential? Order a server from us with promo code PACKETS...