Sign in

Support
Find it myself

Select the product you need help with

Ask the community

Get live help

Windows

Internet
Explorer

Office

Surface

Xbox

Skype

Windows
Phone

How to harden the TCP/IP stack against denial of service

attacks in Windows 2000

More products

Article Translations
( )

Article ID: 315669 - View products that this article applies to.

This article was previously published under Q315669

Expand all | Collapse all

On This Page
SUMMARY
Denial of service attacks are network attacks that are aimed at making a computer or a particular service on a computer unavailable
to network users. Denial of service attacks can be difficult to defend against. To help prevent denial of service attacks, you can use
one or both of the following methods:
Keep your computer updated with the latest security fixes. Security fixes are located on the following Microsoft Web site:
http://www.microsoft.com/security/
Harden the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol stack on Windows 2000-based workstations
and servers. The default TCP/IP stack configuration is tuned to handle normal intranet traffic. If you connect a computer
directly to the Internet, it is recommended that you harden the TCP/IP stack against denial of service attacks.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

TCP/IP Registry Values That Harden the TCP/IP Stack

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might
occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up
the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up
and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
The following list describes the TCP/IP-related registry values that you can configure to harden the TCP/IP stack on computers that
are directly connected to the Internet. All of these values are located under the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
NOTE: All values are in hexadecimal unless otherwise noted.
Value name: SynAttackProtect
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0,1,2
Default: 0
This registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure
this value, the connection responses time out more quickly in the event of a SYN attack (a type of denial of service attack).
The following list describes the parameters that you can use with this registry value:
0 (default value): Set SynAttackProtect to 0 for typical protection against SYN attacks.
1: Set SynAttackProtect to 1 for better protection against SYN attacks. This parameter causes TCP to adjust the
retransmission of SYN-ACKS. When you set SynAttackProtect to 1, connection responses time out more quickly if it
appears that there is a SYN attack in progress. Windows uses the following values to determine if an attack is in
progress:
TcpMaxPortsExhausted
TCPMaxHalfOpen
TCPMaxHalfOpenRetried
Note The TcpMaxPortsExhausted registry key is obsolete in Windows XP SP2 and in later Windows operating
systems.
2: Set SynAttackProtect to 2 for the best protection against SYN attacks. This value adds additional delays to
connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress. This
parameter is the recommended setting.
NOTE: The following socket options no longer work on any socket when you set the SynAttackProtect value to 2:
Scalable windows
TCP parameters that are configured on each adapter (including Initial RTT and window size)
Value name: EnableDeadGWDetect

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 1 (True)
The following list describes the parameters that you can use with this registry value:
1: When you set EnableDeadGWDetect to 1, TCP is allowed to perform dead-gateway detection. When deadgateway detection is enabled, TCP may ask the Internet Protocol (IP) to change to a backup gateway if a number of
connections are experiencing difficulty. Backup gateways are defined in the Advanced section of the TCP/IP
configuration dialog box in Network Control Panel.
0: It is recommended that you set EnableDeadGWDetect to 0. If you do not set this value to 0, an attack could force
the server to switch gateways and cause it to switch to an unintended gateway.
Value name: EnablePMTUDiscovery
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 1 (True)
The following list describes the parameters that you can use with this registry value:
1: When you set EnablePMTUDiscovery to 1, TCP attempts to discover either the maximum transmission unit (MTU)
or then largest packet size over the path to a remote host. TCP can eliminate fragmentation at routers along the path
that connect networks with different MTUs by discovering the path MTU and limiting TCP segments to this size.
Fragmentation adversely affects TCP throughput.
0: It is recommended that you set EnablePMTUDiscovery to 0. When you do so, an MTU of 576 bytes is used for all
connections that are not hosts on the local subnet. If you do not set this value to 0, an attacker could force the MTU
value to a very small value and overwork the stack.
Important Setting EnablePMTUDiscovery to 0 negatively affects TCP/IP performance and throughput. Even though
Microsoft recommends this setting, it should not be used unless you are fully aware of this performance loss.
Value name: KeepAliveTime
Key: Tcpip\Parameters
Value Type: REG_DWORD-Time in milliseconds
Valid Range: 1-0xFFFFFFFF
Default: 7,200,000 (two hours)
This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If
the remote computer is still reachable, it acknowledges the keep-alive packet. Keep-alive packets are not sent by default.
You can use a program to configure this value on a connection. The recommended value setting is 300,000 (5 minutes).
Value name: NoNameReleaseOnDemand
Key: Netbt\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 0 (False)
This value determines whether the computer releases its NetBIOS name when it receives a name-release request. This value

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

was added to allow the administrator to protect the computer against malicious name-release attacks. It is recommended
that you set the NoNameReleaseOnDemand value to 1 (the default value).
NOTE: You must be using Windows 2000 Service Pack 2 (SP2) or later to use the NoNameReleaseOnDemand value.

Troubleshooting
When you change the TCP/IP registry values, you may affect programs and services that are running on the Windows 2000-based
computer. It is recommended that you test these settings on non-production workstations and servers to confirm that they are
compatible with your business environment.

Back to the top | Give Feedback

Properties
Article ID: 315669 - Last Review: March 27, 2008 - Revision: 5.0
APPLIES TO
Microsoft Window s 2000 Server
Microsoft Window s 2000 Professional Edition

Keywords: kbhowtomaster KB315669

Back to the top | Give Feedback

Give Feedback

Was this information helpful?

Yes
No
Somewhat

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

How much effort did you personally put forth to use this article?
Very low
Low
Moderate
High
Very high

Tell us why and what can we do to improve this information

Submit
Back to the top

Other Microsoft sites

Windows
Office
Windows Phone
Xbox

Downloads

Support

Popular resources

Dow nload center

Know ledge Base search

Microsoft Outlook Express

Window s dow nloads

Supported Products list

Microsoft Fix It dow nloads

Office dow nloads

Support offerings

Window s keyboard shortcuts

Service Pack dow nloads

Product support lifecycle

Microsoft Visual C library runtime error

Direct X dow nload

Small and medium business support

Window s Installer error: service could not

be accessed

Privacy

Skype

Privacy feedback

Bing

About Microsoft
Microsoft

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

IT Pro support
Developer support

How to: Window s XP system restore

Window s update error message

Security
Virus and Security solution center
Security home page

Microsoft Security Essentials manual update

dow nload
Inbox Scanpst.exe

pdfcrowd.com

Microsoft

Microsoft Store

Careers
Company new s
Investor relations

Security home page

Microsoft Update
Dow nload Security Essentials
Malw are Removal tool

Site map

United States
Services Agreement

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

Contact Us

Terms of Use

Trademarks

Privacy & Cookies

2013 Microsoft

pdfcrowd.com