HOW TO HARDEN THE TCP/IP STACK AGAINST DOS

• Denial of service (DoS) attacks are network attacks that are aimed at making a computer or a particular service on a computer unavailable to network users.
• Denial of service attacks can be difficult to defend against. To help prevent denial of service attacks, you can use one or both of the following methods:TCP/IP Registry Values That Harden the TCP/IP StackWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method.
• These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.The following list explains the TCP/IP-related registry values that you can configure to harden the TCP/IP stack on computers that are directly connected to the Internet.
• All of these values should be created under the following registry key, unless otherwise noted:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesValue name: SynAttackProtectKey: Tcpip\ParametersValue Type: REG_DWORDValid Range: 0,1Default: 0
• This registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly during a SYN attack (a type of denial of service attack).
• The following parameters can be used with this registry value: 0 (default value): No SYN attack protectioN 1: Set SynAttackProtect to 1 for better protection against SYN attacks.
• This parameter causes TCP to adjust the retransmission of SYN-ACKS. When you set SynAttackProtect to 1, connection responses time out more quickly if the system detects that a SYN attack is in progress.
• Windows uses the following values to determine whether an attack is in progress: TcpMaxPortsExhausted• TCPMaxHalfOpen• TCPMaxHalfOpenRetriedNote In Windows Server 2003 Service Pack 1, the default value for the SynAttackProtect registry entry is 1.