How To: Harden the TCP/IP Stack

 

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Last Revised: January 2006

Applies to:

  • Microsoft Windows® 2000 operating system

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Summary: You can configure various TCP/IP parameters in the Windows registry in order to protect against network-level denial of service attacks including SYN flood attacks, ICMP attacks and SNMP attacks. You can configure registry keys to:

  • Enable SYN flood protection when an attack is detected.
  • Set threshold values that are used to determine what constitutes an attack.

This How To shows an administrator which registry keys and which registry values must be configured to protect against network-based denial of service attacks.

Note   These settings modify the way TCP/IP works on your server. The characteristics of your Web server will determine the best thresholds to trigger denial of service countermeasures. Some values may be too restrictive for your client connections. Test this document's recommendations before you deploy to a production server.

Contents

This How To is divided into sections that address specific types of denial of service protections that apply to the network. Those sections are:

What You Must Know Protect Against SYN Attack Protect Against ICMP Attacks Protect Against SNMP Attacks AFD.SYS Protections Additional Protections Pitfalls Additional Resources

What You Must Know

TCP/IP is an inherently insecure protocol. However, the Windows 2000 and 2003 implementation allows you to configure its operation to counter network denial of service attacks. Some of the keys and values referred to in this How To may not exist by default. In those cases, create the key, value, and value data.

For more details about the TCP/IP network settings that the registry for Windows 2000 controls, see the white paper "Microsoft Windows 2000 TCP/IP Implementation Details" at https://www.microsoft.com/technet/solutionaccelerators/network/deploy/depovg/tcpip2k.mspx.

Note   This How to is specific to Windows 2000. For information on how to harden the TCP/IP stack in Windows Server 2003, see "How to harden the TCP/IP stack against Denial of Service Attacks in Windows Server 2003."

Protect Against SYN Attacks

A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.

To protect the network against SYN attacks, follow these generalized steps, explained later in this document:

  • Enable SYN attack protection
  • Set SYN protection thresholds
  • Set additional protections

Enable SYN Attack Protection

The named value to enable SYN attack protection is located beneath the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

Value name:SynAttackProtect

Recommended value: 2

Valid values: 0, 1, 2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

Set SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are:

  • Value name:TcpMaxPortsExhausted

    Recommended value: 5

    Valid values: 0–65535

    Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

  • Value name:TcpMaxHalfOpen

    Recommended value data: 500

    Valid values: 100–65535

    Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

  • Value name:TcpMaxHalfOpenRetried

    Recommended value data: 400

    Valid values: 80–65535

    Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Set Additional Protections

All the keys and values in this section are located under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are:

  • Value name:TcpMaxConnectResponseRetransmissions

    Recommended value data: 2

    Valid values: 0–255

    Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

  • Value name:TcpMaxDataRetransmissions

    Recommended value data: 2

    Valid values: 0–65535

    Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

  • Value name:EnablePMTUDiscovery

    Recommended value data: 0

    Valid values: 0, 1

    Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack. Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

  • Value name:KeepAliveTime

    Recommended value data: 300000

    Valid values: 80–4294967295

    Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

Set NetBIOS Protections

All the keys and values in this section are located under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters. These keys and values are:

  • Value name:NoNameReleaseOnDemand

    Recommended value data: 1

    Valid values: 0, 1

    Description: Specifies to not release the NetBIOS name of a computer when it receives a name-release request.

Use the values that are summarized in Table 1 for maximum protection.

Table 1   Recommended Values

Value Name Value (REG_DWORD)
SynAttackProtect 2
TcpMaxPortsExhausted 1
TcpMaxHalfOpen 500
TcpMaxHalfOpenRetried 400
TcpMaxConnectResponseRetransmissions 2
TcpMaxDataRetransmissions 2
EnablePMTUDiscovery 0
KeepAliveTime 300000 (5 minutes)
NoNameReleaseOnDemand 1

Protect Against ICMP Attacks

The named value in this section is under the registry key HKLM\System\CurrentControlSet\Services\TcpIp\Parameters

Value:EnableICMPRedirect

Recommended value data: 0

Valid values: 0 (disabled), 1 (enabled)

Description: Modifying this registry value to 0 prevents the creation of expensive host routes when an ICMP redirect packet is received.

Use the value summarized in Table 2 for maximum protection:

Table 2   Recommended Values

Value Name Value (REG_DWORD)
EnableICMPRedirect 0

Protect Against SNMP Attacks

The named value in this section is located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters.

Value:EnableDeadGWDetect

Recommended value data: 0

Valid values: 0 (disabled), 1, (enabled)

Description: Prevents an attacker from forcing the switching to a secondary gateway

Use the value summarized in Table 3 for maximum protection.

Table 3   Recommended Values

Value Name Value (REG_DWORD)
EnableDeadGWDetect 0

AFD.SYS Protections

The following keys specify parameters for the kernel mode driver Afd.sys. Afd.sys is used to support Windows sockets applications. All of the keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\AFD\Parameters. These keys and values are:

  • Value:EnableDynamicBacklog

    Recommended value data: 1

    Valid values: 0 (disabled), 1 (enabled)

    Description: Specifies AFD.SYS functionality to withstand large numbers of SYN_RCVD connections efficiently. For more information, see "Internet Server Unavailable Because of Malicious SYN Attacks," at https://support.microsoft.com/default.aspx?scid=kb;en-us;142641.

  • Value name:MinimumDynamicBacklog

    Recommended value data: 20

    Valid values: 0–4294967295

    Description: Specifies the minimum number of free connections allowed on a listening endpoint. If the number of free connections drops below this value, a thread is queued to create additional free connections

  • Value name: MaximumDynamicBacklog

    Recommended value data: 20000

    Valid values: 0–4294967295

    Description: Specifies the maximum total amount of both free connections plus those in the SYN_RCVD state.

  • Value name:DynamicBacklogGrowthDelta

    Recommended value data: 10

    Valid values: 0–4294967295

    Present by default: No

    Description: Specifies the number of free connections to create when additional connections are necessary.

Use the values summarized in Table 4 for maximum protection.

Table 4   Recommended Values

Value Name Value (REG_DWORD)
EnableDynamicBacklog 1
MinimumDynamicBacklog 20
MaximumDynamicBacklog 20000
DynamicBacklogGrowthDelta 10

Additional Protections

All of the keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters.

Protect Screened Network Details

Network Address Translation (NAT) is used to screen a network from incoming connections. An attacker can circumvent this screen to determine the network topology using IP source routing.

Value:DisableIPSourceRouting

Recommended value data: 1

Valid values: 0 (forward all packets), 1 (do not forward Source Routed packets), 2 (drop all incoming source routed packets).

Description: Disables IP source routing, which allows a sender to determine the route a datagram should take through the network.

Do Not Forward Packets Destined for Multiple Hosts

Multicast packets may be responded to by multiple hosts, resulting in responses that can flood a network.

Value:EnableMulticastForwarding

Recommended value data: 0

Valid range: 0 (false), 1 (true)

Description: The routing service uses this parameter to control whether or not IP multicasts are forwarded. This parameter is created by the Routing and Remote Access Service.

Only Firewalls Forward Packets Between Networks

A multi-homed server must not forward packets between the networks it is connected to. The obvious exception is the firewall.

Value:IPEnableRouter

Recommended value data: 0

Valid range: 0 (false), 1 (true)

Description: Setting this parameter to 1 (true) causes the system to route IP packets between the networks to which it is connected.

Mask Network Topology Details

The subnet mask of a host can be requested using ICMP packets. This disclosure of information by itself is harmless; however, the responses of multiple hosts can be used to build knowledge of the internal network.

Value:EnableAddrMaskReply

Recommended value data: 0

Valid range: 0 (false), 1 (true)

Description: This parameter controls whether the computer responds to an ICMP address mask request.

Use the values summarized in Table 5 for maximum protection

Table 5   Recommended Values

Value Name Value (REG_DWORD)
DisableIPSourceRouting 1
EnableMulticastForwarding 0
IPEnableRouter 0
EnableAddrMaskReply 0

Pitfalls

When testing the changes of these values, test against the network volumes you expect in production. These settings modify the thresholds of what is considered normal and are deviating from the tested defaults. Some may be too narrow to support clients reliably if the connection speed from clients varies greatly.

Additional Resources

For additional reading about TCP/IP, refer to the following resources:

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.