Harden the TCP/IP Stack for Denial of Service Attacks at Registry Guide f... http://www.pctools.

com/guides/registry/detail/1237/

Features Registry Home > Network > Protocols > TCP-IP

Security Guide
Harden the TCP/IP Stack for Denial of Service Attacks (Windows 2000/XP)
Software Guide Popular
Scripting Guide
Denial of service attacks are network attacks that are aimed at making a computer
Driver Guide or a particular service unavailable to network users. These settings can be used to
increase the ability for Windows to defend against these attacks when connected
Support Forums directly to the Internet.
Newsletters
This tweak can be easily applied using WinGuides Tweak Manager.
Registry Tutorial Download a free trial now!
Registry Insight
Open your registry and find the key below.
Tweak Manager
Create the following DWORD values and set them according to the table below.
Registry Mechanic
EnableDeadGWDetect = "0" (default = 1)
Print this Disables dead-gateway detection as an attack could force the server to switch
E-mail this gateways.
Bookmark EnableICMPRedirect = "0" (default = 1)
Newsletter Stops Windows from altering its route table in response to ICMP redirect
Receive regular messages. Some documentation has this listed as "EnableICMPRedirects" but
Windows® updates according to Microsoft it should be "EnableICMPRedirect" no "s".
EnablePMTUDiscovery = "0" (default = 1)
Disables maximum transmission unit (MTU) discovery as an attacker could
Join Now!
force the MTU value to a very small value and overwork the stack.
Your privacy is KeepAliveTime = "300,000" (default = 7,200,000)
ensured by our Reduces how often TCP attempts to verify that an idle connection is still
privacy policy intact by sending a keep-alive packet.
NoNameReleaseOnDemand = "1" (default = 0)
Protects the computer against malicious NetBIOS name-release attacks.
PerformRouterDiscovery = "0" (default = 1)
Disables ICMP Router Discovery Protocol (IRDP) where an an attacker may
remotely add default route entries on a remote system.
SynAttackProtect = "2" (default = 0)
Automatically adds additional delays to connection indications, and TCP
connection requests quickly timeout when a SYN attack is in progress.

Restart Windows for the changes to take effect.

1 of 2 25.05.2009 19:18
Harden the TCP/IP Stack for Denial of Service Attacks at Registry Guide f... http://www.pctools.com/guides/registry/detail/1237/

Note: These values will not give the best performance due to additional checking
and less optimization, but they will provide greater protection against attacks.

(Default) REG_SZ (value not set)

EnableDeadGWDetect REG_DWORD 0x00000000 (0)
EnableICMPRedirect REG_DWORD 0x00000000 (0)
EnablePMTUDiscovery REG_DWORD 0x00000000 (0)
KeepAliveTime REG_DWORD 0x000493e0 (300000)
NoNameReleaseOnDemand REG_DWORD 0x00000001 (1)
PerformRouterDiscovery REG_DWORD 0x00000000 (0)

SynAttackProtect REG_DWORD 0x00000002 (2)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\P...

Registry Settings
System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\Tcpip\Parameters]
Value Name: EnableDeadGWDetect, EnableICMPRedirect,
EnablePMTUDiscovery, KeepAliveTime, NoNameReleaseOnDemand,
PerformRouterDiscovery, SynAttackProtect
Data Type: REG_DWORD (DWORD Value)

>> Recommended Download - check, repair and optimize your registry now with
Registry Mechanic <<

Disclaimer: Modifying the registry can cause serious problems that may require
you to reinstall your operating system. We cannot guarantee that problems resulting
from modifications to the registry can be solved. Use the information provided at
your own risk.

Last modified: December 19, 2002

More Guides » Security Guide Support Forums Software Guide Scripting Guide Driver Guide Search

Copyright © 1998-2009 PC Tools. All rights Reserved.

2 of 2 25.05.2009 19:18