Partilhar via


TCP/IP Stack hardening in Operating Systems starting with Windows Vista

In Windows Server 2003 you could change the following TCP/IP parameters to harden the Stack against Syn Attacks. This protection has been accomplished by the TCP/IP stack in the following way by dropping new connection requests when the threshold values are met, regardless of how much system memory or CPU power available to the system.

System\CurrentControlSet\Services\Tcpip\Parameters
- TcpWindowSize
- SynAttackProtect
- TcpMaxConnectResponseRetransmissions
- EnableDeadGWDetect
- EnablePMTUBHDetect
- EnablePMTUDiscovery
- TcpMaxHalfOpen
- TcpMaxHalfOpenRetried
{InterfaceGUID}\TcpInitialRTT

Now in Operating Systems starting with Windows Vista the above settings marked with RED are no longer valid, because Syn Attack protection is built in "by default" and changed in the following ways:

- Syn Attack protection is enabled by default and cannot be disabled!
- Syn Attack protection dynamically calculates the thresholds (of when it considers an attack has started) based on the number of CPU cores and memory available and hence it doesn’t expose any configurable parameters via registry, netsh etc.
- Since TCP/IP driver goes into attack state based on the number of CPU cores and the amount of memory available, systems with more resources will start dropping new connection attempts later compared to systems with less resources. The new algorithm eliminates the need of any fine tuning and TCP/IP stack will self-tune to best values possible depending on the available resources.

{InterfaceGUID}\TcpInitialRTT cannot be changed anymore and is hardcoded at 3 seconds to meet RFC 1122.

===============================================

https://www.ietf.org/rfc/rfc2988.txt

 (2.1) Until a round-trip time (RTT) measurement has been made for a segment sent between the sender and receiver, the sender SHOULD set RTO <- 3 seconds (per RFC 1122 [Bra89]), though the "backing off" on repeated retransmission discussed in (5.5) still applies.

===============================================

 

Regarding the AFD Parameters:

System\CurrentControlSet\Services\AFD\Parameters
- DynamicBacklogGrowthDelta
- EnableDynamicBacklog
- MaximumDynamicBacklog
- MinimumDynamicBacklog

The primary goal of the dynamic backlog scheme in Winsock was to alleviate the impact of Syn Attacks at Winsock layer. With the new NETIO stack on Vista/WS08 and onwards and the TcpIP syn-attack protection built-in, the Winsock-level dynamic backlog scheme is not needed anymore and has been removed.

Dorian

Comments

  • Anonymous
    November 07, 2011
    Now that SynAttackProtect can't be disabled how could one tell if the OS is blocking/dropping connections due to a SynAttack condition.  We have a SQL Server 2008 running on Server 2008 R2 and our BizTalk servers will give the below error 2-3 times a day.  How can I rule out SynAttackProtect if I can't simply disable it? Error message: [DBNETLIB][ConnectionRead (recv()).]General network error. Check your network documentation. Error source:   BizTalk host name: FILE_Host Windows service name: BTSSvc$FILE_Host

  • Anonymous
    February 21, 2014
    I have the same issue above with my windows erver 2008 / sql server 2008 systems. Is there any way to actually verify if synattackprotect is causing my issues?