Re: Syn Attacks: Metabase entries (w3svc/ServerListenBacklog) & Backlog parameters

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/04/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 3 Dec 2002 22:14:24 -0500

PS regarding syn floods, the typical advice I see stops at the registry
entries you mention here, so this is probably as good as you're going to get
without adding third party software or hardware. The best you can hope for
with these Windows settings is to be less vulnerable, not invulnerable to
DoS. And none of these settings protect you from, say, an attack that
floods your network bandwidth.

Regarding the KB article you mention, if W2K is listed at the top of the
article, then I would feel safe in using those settings on W2K. Doesn't
sound like it could hurt, especially if you test it and can back out the
settings if necessary.

"Ray Secrest" <res0cu5i@verizon@net> wrote in message
news:u1sOj5umCHA.968@TK2MSFTNGP09...
> I'll dig a little deeper on the net and try to find a correlation
> Thanks for the info,
> Ray
>
>
> "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> news:#c9teOumCHA.2416@TK2MSFTNGP08...
> > IMHO, "backlog" [note that it is in "quotes" in article Q142641] is not
an
> > official term. I would say it probably describes the number of half
open
> > pending SYN connections that a Windows computer or other device can keep
> in
> > an open, pending state. In general, permitting more simultaneous open
> > connections takes more memory and performance from the device or
computer,
> > but an insufficient number of possible open connections results in a
> denial
> > of service when the limit is reached. Hardening the OS is not a bad
thing
> > to do, but it's probably more effective to have a device [e.g. a
firewall]
> > in front of your network that can monitor for SYN floods and take one of
> > several possible actions to defeat the attack.
> >
> > I don't know of any official TCP term for this "backlog." For more
> > information, I would just search www.google.com and www.pcwebopedia.com
> and
> > all the other typical sites for the term "syn flood" or "syn-flood" as
> well
> > as searching a variety of firewall manufacturer web sites to see some
> > possible ways their devices can handle them. Start with the
manufacturer
> of
> > your firewall. You ARE using a firewall in front of all your computers
> and
> > servers, right?
> >
> > Start here:
> >
> >
>
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=syn-flood+firewall+is
> > a+OR+cisco+OR+pix+OR+checkpoint+OR+netscreen
> >
> > For example, here are several ways Checkpoint Firewall-1 [and appliances
> > that use it, such as intrusion.com, etc] can deal with SYN floods:
> >
> > http://www.phoneboy.com/fom-serve/cache/153.html
> >
> >
> >
> > "Ray Secrest" <res0cu5i@verizon@net> wrote in message
> > news:OuTcVItmCHA.2188@TK2MSFTNGP10...
> > > Can you recommend some additional reading material for terms
> > mentioned?
> > > Are these general terms (different vendors use the same terms to
> describe
> > > the same parameter) that are covered in the RFCs. Should I start
> looking
> > > the TCPIP Illustrated encyclopedia?
> > > Thanks
> > > Ray
> > >
> > > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> > > news:e7jg3$kmCHA.1604@TK2MSFTNGP08...
> > > > Your ISP may also be able to assist here. Also a good commercial
> > firewall
> > > > with Syn flood protection [netscreen.com 5xp starts at $500,
> Checkpoint,
> > > > Intrusion.com, Nortel Contivity switch, Cisco, etc.
> > > >
> > > > http://securityadmin.info/faq.htm#firewall
> > > >
> > > >
> > > > "Ray Secrest" <res0cu5i@verizon@net> wrote in message
> > > > news:OcevrBkmCHA.2224@tkmsftngp02...
> > > > > We are experiencing a large number of tcp connections (1500+)on
our
> > IIS
> > > 5
> > > > > Web servers (SP2, SRP-1 & IIS Cumulative patch + many, many hot
> fixes)
> > > and
> > > > > the servers will lock up. Our IDS has reported this as either a
> > broken
> > > > > network (the source originates outside our nework) or a SynAttack.
> > The
> > > IP
> > > > > stack has been hardened as follows:
> > > > > Tcpip/Parameters/SynAttackProtect 2
> > > > > Tcpip/Parameters/TcpMaxHalfOpen 100
> > > > > Tcpip/Parameters/TcpMaxHalfOpenRetried 80
> > > > >
> > > > > I was reviewing a few KB articles (Security Considerations for
> Network
> > > > > Attacks &Q142641). While reading these I was trying to fully
> > understand
> > > > > some terms mentioned but I couldn't find them on TechNet or in
Win2k
> > > > Server
> > > > > ResKit. What are the Backlog parameters, are they configurable
and
> > what
> > > > are
> > > > > the recommended settings? Is this related to the Metabase setting
> > > > > W3svc/Server ListenBacklog (which is set to 1000)? The
> > > > > W3svc/MaxEndPointConnections has been modified to 500 also.
> > > > > Q142641 lists some parameters for WinNT 3.51 & NT4. Is it
> > advisable
> > > > to
> > > > > use these on Win2k (heading in KB lists Win2k as applicable but
> Win2k
> > is
> > > > not
> > > > > listed in body of article)?
> > > > > Is there additional reading for these parameters (other than
the
> > > > RFCs)?
> > > > > Thanks
> > > > > Ray
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages