Re: Syn Attacks: Metabase entries (w3svc/ServerListenBacklog) & Backlog parameters

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/03/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 3 Dec 2002 10:47:58 -0500

IMHO, "backlog" [note that it is in "quotes" in article Q142641] is not an
official term. I would say it probably describes the number of half open
pending SYN connections that a Windows computer or other device can keep in
an open, pending state. In general, permitting more simultaneous open
connections takes more memory and performance from the device or computer,
but an insufficient number of possible open connections results in a denial
of service when the limit is reached. Hardening the OS is not a bad thing
to do, but it's probably more effective to have a device [e.g. a firewall]
in front of your network that can monitor for SYN floods and take one of
several possible actions to defeat the attack.

I don't know of any official TCP term for this "backlog." For more
information, I would just search www.google.com and www.pcwebopedia.com and
all the other typical sites for the term "syn flood" or "syn-flood" as well
as searching a variety of firewall manufacturer web sites to see some
possible ways their devices can handle them. Start with the manufacturer of
your firewall. You ARE using a firewall in front of all your computers and
servers, right?

Start here:

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=syn-flood+firewall+is
a+OR+cisco+OR+pix+OR+checkpoint+OR+netscreen

For example, here are several ways Checkpoint Firewall-1 [and appliances
that use it, such as intrusion.com, etc] can deal with SYN floods:

http://www.phoneboy.com/fom-serve/cache/153.html

"Ray Secrest" <res0cu5i@verizon@net> wrote in message
news:OuTcVItmCHA.2188@TK2MSFTNGP10...
> Can you recommend some additional reading material for terms
mentioned?
> Are these general terms (different vendors use the same terms to describe
> the same parameter) that are covered in the RFCs. Should I start looking
> the TCPIP Illustrated encyclopedia?
> Thanks
> Ray
>
> "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> news:e7jg3$kmCHA.1604@TK2MSFTNGP08...
> > Your ISP may also be able to assist here. Also a good commercial
firewall
> > with Syn flood protection [netscreen.com 5xp starts at $500, Checkpoint,
> > Intrusion.com, Nortel Contivity switch, Cisco, etc.
> >
> > http://securityadmin.info/faq.htm#firewall
> >
> >
> > "Ray Secrest" <res0cu5i@verizon@net> wrote in message
> > news:OcevrBkmCHA.2224@tkmsftngp02...
> > > We are experiencing a large number of tcp connections (1500+)on our
IIS
> 5
> > > Web servers (SP2, SRP-1 & IIS Cumulative patch + many, many hot fixes)
> and
> > > the servers will lock up. Our IDS has reported this as either a
broken
> > > network (the source originates outside our nework) or a SynAttack.
The
> IP
> > > stack has been hardened as follows:
> > > Tcpip/Parameters/SynAttackProtect 2
> > > Tcpip/Parameters/TcpMaxHalfOpen 100
> > > Tcpip/Parameters/TcpMaxHalfOpenRetried 80
> > >
> > > I was reviewing a few KB articles (Security Considerations for Network
> > > Attacks &Q142641). While reading these I was trying to fully
understand
> > > some terms mentioned but I couldn't find them on TechNet or in Win2k
> > Server
> > > ResKit. What are the Backlog parameters, are they configurable and
what
> > are
> > > the recommended settings? Is this related to the Metabase setting
> > > W3svc/Server ListenBacklog (which is set to 1000)? The
> > > W3svc/MaxEndPointConnections has been modified to 500 also.
> > > Q142641 lists some parameters for WinNT 3.51 & NT4. Is it
advisable
> > to
> > > use these on Win2k (heading in KB lists Win2k as applicable but Win2k
is
> > not
> > > listed in body of article)?
> > > Is there additional reading for these parameters (other than the
> > RFCs)?
> > > Thanks
> > > Ray
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: What is the Pattern here ?
    ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ...
    (comp.security.firewalls)
  • Re: Black Ice confesses faulty program!!!
    ... > outgoing connections or traffic except in cases where these connections ... > "dangerous/suspicious" traffic by the BlackICE program. ... > get into your machine then even a PC *without* a firewall is completely ... If you don't think "Spyware" is a problem for computer ...
    (comp.security.firewalls)
  • Re: Port 135
    ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ...
    (microsoft.public.security)
  • Re: Networking/Security Question...
    ... The router itself will be a Cisco 1721. ... >setup is very simple... ... XP sp2 having the firewall on by default. ... > # but deny established connections that don't have a dynamic rule. ...
    (freebsd-net)
  • Re: XPsp2 firewall - bug? - disables on certain networks
    ... Firewall Settings for Microsoft Windows XP with Service Pack 2" document ... Even if the DNS suffix is different, the computer can get a new policy from ... manually enter the DNS server and suffix settings for all connections. ...
    (microsoft.public.windowsxp.security_admin)
Quantcast