Start with the correct view of DoS and DDoS
I believe everyone will not be unfamiliar with these two words. Yes, Denial of Service and Distributed Denial of Service.
The so-called denial of service means that after a specific attack occurs, the attacked object cannot provide the due services in a timely manner. For example, it should have provided website services (HTTP Service) but cannot provide website services, and email servers (SMTP, POP3) cannot provide functions such as sending and receiving letters. Basically, blocking service attacks usually use a large number of network data packets to paralyze the other party's network and host, so that normal users cannot obtain timely service from the host.
Distributed denial of service, simply put, uses massive data packets that far exceed the target processing capacity to consume available systems and network bandwidth, causing network services to be paralyzed.
Perhaps it is related to excessive media attention. DoS attacks, especially DDoS attacks, seem to have become popular overnight. Network administrators of all sizes, shouted extremely excitedly, "I'm DDoS!" as soon as the server is broken, with great glory and pride on their faces.
In fact, there are not many DDoS around us. After all, there are a lot of resources required to launch a DDoS attack, but real attacks are constantly happening. Most of them are ordinary denial of service attacks. How to protect against ordinary-level attacks has also become the most troublesome problem for many network administrators, so they inquire about it everywhere, and the results are often the same, "Purchase our hardware firewall."
Hardware firewalls, including dedicated anti-resistance service attack products, are indeed good, but the basic price is very expensive. Although the effect is good, it is a bit too much from the perspective of investment and protection investment.
In fact, from the perspective of the operating system, there are many functions hidden in itself, but many of them need to be explored slowly. Here I will briefly introduce to you how to modify the registry in Win2000 environment to enhance the system's anti-DoS capabilities.
detail:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
Turn off checking of invalid gateway. When the server has multiple gateways, the system will try to connect to a second gateway when the network is not smooth, and the network can be optimized by turning it off.
"EnableDeadGWDetect"=dword:00000000
Disable response to ICMP redirect messages. Such packets may be used for attacks, so the system should refuse to accept ICMP redirect packets.
"EnableICMPRedirects"=dword:00000000
Release of NETBIOS names is not allowed. When an attacker issues a request to query the server NETBIOS name, the server can be prevented from responding.
Note that the system must be installed with SP2 or above
"NoNameReleaseOnDemand"=dword:00000001
Send verification keeps active packets. This option determines how many times the TCP interval is to determine whether the current connection is still in the connection state. If this value is not set, the system checks whether there are idle connections in TCP every 2 hours. The time set here is 5 minutes.
"KeepAliveTime"=dword:000493e0
Maximum packet length path detection is prohibited. When the item value is 1, the size of the data packet that can be transmitted will be automatically detected, which can be used to improve transmission efficiency. If there is a failure or safety reason, the item value is set to 0, indicating that the fixed MTU value 576bytes is used.
"EnablePMTUDiscovery"=dword:00000000
Start syn attack protection. The default item value is 0, which means that attack protection is not enabled. The item values are 1 and 2, which means that syn attack protection is activated. After setting it to 2, the security level is higher. In what situation is considered an attack, it is necessary to trigger the startup according to the conditions set by the following TcpMaxHalfOpen and TcpMaxHalfOpenRetried values. It should be noted here that NT4.0 must be set to 1. After setting to 2, it will cause the system to restart under some special data packet.
"SynAttackProtect"=dword:00000002
Also allowed to open half-connections. The so-called semi-connection means an incomplete TCP session. You can see that the SYN_RCVD state is shown using the netstat command. Here we use the Microsoft recommended value, set the server to 100 and the advanced server to 500. It is recommended to set it a little smaller.
"TcpMaxHalfOpen"=dword:00000064
Determine whether there is an attack trigger point. Here we use Microsoft's recommended values, the server is 80 and the advanced server is 400.
"TcpMaxHalfOpenRetried"=dword:00000050
Set the waiting time for SYN-ACK. The default value is 3, and the default process takes 45 seconds. The term value is 2 and takes 21 seconds. The term value is 1 and takes 9 seconds. The minimum can be set to 0, indicating that there is no waiting and the consumption time is 3 seconds. This value can be modified according to the attack size. Microsoft site security recommendation is 2.
"TcpMaxConnectResponseRetransmissions"=dword:00000001
Sets the number of times TCP re-passes a single data segment. The default value is 5, and the default process takes 240 seconds. Microsoft site security recommendation is 3.
"TcpMaxDataRetransmissions"=dword:00000003
Set the critical point for syn attack protection. When the available backlog becomes 0, this parameter is used to control the activation of syn attack protection, and Microsoft site security recommendation is 5.
"TCPMaxPortsExhausted"=dword:00000005
Disable IP source routing. The default item value is 1, which means that the source routing packet is not forwarded. The item value is set to 0, which means that all forwardings are forwarded. Set to 2, which means that all accepted source routing packets are discarded. Microsoft site security recommendation is 2.
"DisableIPSourceRouting"=dword:0000002
Limit the maximum time to be in the TIME_WAIT state. The default is 240 seconds, the minimum is 30 seconds, and the maximum is 300 seconds. It is recommended to set to 30 seconds.
"TcpTimedWaitDelay"=dword:0000001e
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
Increase the increase in the connection block of NetBT. The default is 3, the range is 1-20, and the larger the value, the more connections it is, the better performance. Each connection block consumes 87 bytes.
"BacklogIncrement"=dword:00000003
The maximum number of fast connections to NetBT. Range 1-40000, set here to 1000, the larger the value, the more connections are allowed.
"MaxConnBackLog"=dword:000003e8
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Afd\Parameters]
Configure active Backlog. For systems that are busy with the network or are susceptible to SYN attacks, it is recommended to set to 1 to allow dynamic Backlog.
"EnableDynamicBacklog"=dword:00000001
Configure the minimum dynamic Backlog. The default item value is 0, indicating the minimum number of free connections allocated by dynamic Backlog. When the number of free connections is lower than this number, free connections will be automatically allocated. The default value is 0. For systems that are busy on the network or are susceptible to SYN attacks, it is recommended to set it to 20.
"MinimumDynamicBacklog"=dword:00000014
Maximum dynamic Backlog. It indicates that the maximum number of "quasi-" connections is defined, mainly depending on the memory size. Theoretically, the maximum number of memory can be increased by 5,000 per 32M, which is set to 20,000 here.
"MaximumDynamicBacklog"=dword:00002e20
Free connection data is added each time. The default item value is 5, which defines the number of free connections that are increased each time. For systems that are busy with the network or are susceptible to SYN attacks, it is recommended to set it to 10.
"DynamicBacklogGrowthDelta"=dword:0000000a
The following parts need to be manually modified according to actual conditions
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
Enable security filtering on network cards
"EnableSecurityFilters"=dword:00000001
The number of TCP connections opened at the same time can be controlled according to the situation.
"TcpNumConnections"=
This parameter controls the size limit of the TCP header table. On machines with a lot of RAM, adding this setting can improve responsiveness during SYN attacks.
"TcpMaxSendFree"=[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{Own network card interface}]
Disable routing discovery function. ICMP routing notification messages can be used to increase routing table records, which can lead to attacks, so routing discovery is prohibited.
"PerformRouterDiscovery "=dword:00000000。