Re: Syn Attacks: Metabase entries (w3svc/ServerListenBacklog) & Backlog parameters

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/02/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Mon, 2 Dec 2002 17:11:01 -0500

Your ISP may also be able to assist here. Also a good commercial firewall
with Syn flood protection [netscreen.com 5xp starts at $500, Checkpoint,
Intrusion.com, Nortel Contivity switch, Cisco, etc.

http://securityadmin.info/faq.htm#firewall

"Ray Secrest" <res0cu5i@verizon@net> wrote in message
news:OcevrBkmCHA.2224@tkmsftngp02...
> We are experiencing a large number of tcp connections (1500+)on our IIS 5
> Web servers (SP2, SRP-1 & IIS Cumulative patch + many, many hot fixes) and
> the servers will lock up. Our IDS has reported this as either a broken
> network (the source originates outside our nework) or a SynAttack. The IP
> stack has been hardened as follows:
> Tcpip/Parameters/SynAttackProtect 2
> Tcpip/Parameters/TcpMaxHalfOpen 100
> Tcpip/Parameters/TcpMaxHalfOpenRetried 80
>
> I was reviewing a few KB articles (Security Considerations for Network
> Attacks &Q142641). While reading these I was trying to fully understand
> some terms mentioned but I couldn't find them on TechNet or in Win2k
Server
> ResKit. What are the Backlog parameters, are they configurable and what
are
> the recommended settings? Is this related to the Metabase setting
> W3svc/Server ListenBacklog (which is set to 1000)? The
> W3svc/MaxEndPointConnections has been modified to 500 also.
> Q142641 lists some parameters for WinNT 3.51 & NT4. Is it advisable
to
> use these on Win2k (heading in KB lists Win2k as applicable but Win2k is
not
> listed in body of article)?
> Is there additional reading for these parameters (other than the
RFCs)?
> Thanks
> Ray
>
>

Relevant Pages

  • Re: Syn Attacks: Metabase entries (w3svc/ServerListenBacklog) & Backlog parameters
    ... the same parameter) that are covered in the RFCs. ... >> I was reviewing a few KB articles (Security Considerations for Network ... While reading these I was trying to fully understand ... >> the recommended settings? ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISA 2006 Problem with Outlook Anywhere
    ... You can't have NTLM auth at any proxy and the upstream server; ... Jim Harrison (ISA SE) ... I think you are reading so many threads these days that you don't ... I've been reading some of your articles on isaserver.org and it's always ...
    (microsoft.public.isaserver)
  • Re: Good lord, when do I get to actually program?
    ... My advice to you would be to stop reading and start messing about. ... Find great Windows Forms articles in Windows Forms Tips and Tricks ... > basics, but I'm having trouble seeing myself bridging the gap from basics ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Transportation after EMP
    ... It has been said the reason EMP was not noticed in early nuclear ... numerous articles and papers have mentioned. ... this is not the physics at all. ... just from reading science books when I was in junior high school. ...
    (misc.survivalism)
  • Re: Just for fun ...
    ... an '??aholic' thingy of some sort. ... If you haven't written any articles then, IMHO, you most definitely ... I enjoy reading your posts. ... learning from equally excellent people who are spending ...
    (borland.public.delphi.non-technical)