SynAttackProtect
Windows 2003 introduced huge changes on TCP/IP communications handling. One of these was to protect against hacker attacks being perpetrated against networks at the turn of the century.
Microsoft Windows 2003 handles TCP/IP communications.
We have seen this change by Mircosoft effect the communications between the Dispatches and Radio Server. The Dispatcher was opening lots of TCP/IP sockets on the Radio Server leading the Microsoft Windows 2003 TCP/IP handler to decide its was dealing with a denial of service attack; under these circumstances, the Microsoft Windows 2003 TCP/IP handler acts “erratically” to deceive the attacker. In our case, it was messing up the Dispatcher recovery code, compounding the problem even further.
The solution for it was to change the SynAttackProtect registry setting used to tell Microsoft Windows 2003 to accept and handle the socket requests. See below for a more detailed explanation of this registry setting.
All SPARCS customers, if running Windows 2003, should ensure their SynAttackProtect registry setting is set to 0.
Enhancements to TCP/IP
TCP/IP in Windows Server 2003 SP1 has the following enhancements:
? SYN attack protection is enabled by default
? SYN attack notification IP Helper APIs
? Smart TCP port allocation
? Registry setting for ICMP host routes
SYN attack protection is enabled by default A TCP Synchronize (SYN) attack is a denial-of-service attack that exploits the retransmission and time-out behavior of the Synchronize-Acknowledgement (SYN-ACK) segment during the TCP three-way handshake to create a large number of half-open TCP connections. Depending on the TCP/IP protocol implementation, a large number of half-open TCP connections could do any of the following:
? Use all available memory.
? Use all possible entries in the TCP Transmission Control Block (TCB), an internal table used to track TCP connections. Once the half-open connections use all the entries, further connection attempts are responded to with a TCP connection reset.
? Use all available half-open connections. Once all the half-open connections are used, further connection attempts are responded to with a TCP connection reset.
To create a large number of TCP half-open connections, attackers send a large number of SYN segments, each from a spoofed IP address and TCP port number. Each spoofed IP address and TCP port number are for a process that does not respond to the SYN-ACKs being sent by the attacked host. SYN attacks are typically used to render Internet servers inoperative.
To mitigate the impact on a host experiencing a SYN attack, TCP/IP minimizes the amount of resources devoted to incomplete TCP connections and reduces the amount of time before abandoning half-open connections. When a SYN attack is detected, TCP/IP in Windows Server 2003 and Windows XP lowers the number of retransmissions of the SYN-ACK segment and does not allocate memory or table entry resources for the connection until the TCP three-way handshake has been completed.
You can control SYN attack protection through the registry entry at
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (type REG_DWORD). You set SynAttackProtect to 0 to disable SYN attack protection and to 1 to enable it.
For TCP/IP in Windows XP (all versions) and Windows Server 2003 with no service packs installed, SynAttackProtect is set to 0 by default. For TCP/IP in Windows Server 2003 SP1, SynAttackProtect is set to 1 by default.
For more information about TCP connection behavior and related registry entries, see Microsoft Windows Server 2003 TCP/IP Implementation Details FamilyID=06c60bfe-4d37-4f50-8587-8b68d32fa6ee&displaylang=en> . How to modify or verify what the SynAttackProtect parameters is set to. Directory path we are working in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (type REG_DWORD 1.Start > Run> type regedit > Select OK 2.Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters 3.Right click on SynAttackProtect and select Modify. 4.Ensure the Value Data is set to 0 (zero) or change the value to 0 (zero) and press O.K. 5.Restart your computer for the setting to take effect How to Create the SynAttackProtect parameters if it is not listed Directory path we are working in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (type REG_DWORD 1.Start > Run> type regedit > Select OK 2.Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters 3.Right click in the free space on the Right Screen Frame 4.Select New> DWORD Value 5. A parameter name of New Value #1 will populate a.Right click on the new Parameters value and rename to “ SynAttackProtect b.Right click on SynAttackProtect and select Modify. c.Ensure the Value Data is set to 0 (zero) or change the value to 0 (zero) and press O.K. d.Restart your computer for the setting to take effect.