Syn Attacks: Metabase entries (w3svc/ServerListenBacklog) & Backlog parameters

From: Ray Secrest (res0cu5i@verizon@net)
Date: 12/02/02 

From: "Ray Secrest" <res0cu5i@verizon@net>
Date: Mon, 2 Dec 2002 15:24:22 -0500

We are experiencing a large number of tcp connections (1500+)on our IIS 5
Web servers (SP2, SRP-1 & IIS Cumulative patch + many, many hot fixes) and
the servers will lock up. Our IDS has reported this as either a broken
network (the source originates outside our nework) or a SynAttack. The IP
stack has been hardened as follows:
Tcpip/Parameters/SynAttackProtect 2
Tcpip/Parameters/TcpMaxHalfOpen 100
Tcpip/Parameters/TcpMaxHalfOpenRetried 80

I was reviewing a few KB articles (Security Considerations for Network
Attacks &Q142641). While reading these I was trying to fully understand
some terms mentioned but I couldn't find them on TechNet or in Win2k Server
ResKit. What are the Backlog parameters, are they configurable and what are
the recommended settings? Is this related to the Metabase setting
W3svc/Server ListenBacklog (which is set to 1000)? The
W3svc/MaxEndPointConnections has been modified to 500 also.
    Q142641 lists some parameters for WinNT 3.51 & NT4. Is it advisable to
use these on Win2k (heading in KB lists Win2k as applicable but Win2k is not
listed in body of article)?
    Is there additional reading for these parameters (other than the RFCs)?
Thanks
Ray