Re: Syn Attacks: Metabase entries (w3svc/ServerListenBacklog) & Backlog parameters

From: Ray (res0cu5i@verizon@net)
Date: 12/04/02 

From: "Ray" <res0cu5i@verizon@net>
Date: Wed, 4 Dec 2002 08:31:31 -0500

Thanks for the follow up. There are other systems/devices in place to
protect the servers. These steps were my attempts at "defense in depth".
Testing to date hasn't revealed any downside to these modifications. The
Web application itself may be responsible for some of the performance
problems. I'm finding it difficult to track/test how many connections are
opened up by one browser client. I guess that's another story. BTW, who
ever wrote Wfetch (Q284285) did a nice a job!
Thanks for your help.
Ray
"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:#pmIVH0mCHA.1392@TK2MSFTNGP10...
> PS regarding syn floods, the typical advice I see stops at the registry
> entries you mention here, so this is probably as good as you're going to
get
> without adding third party software or hardware. The best you can hope
for
> with these Windows settings is to be less vulnerable, not invulnerable to
> DoS. And none of these settings protect you from, say, an attack that
> floods your network bandwidth.
>
> Regarding the KB article you mention, if W2K is listed at the top of the
> article, then I would feel safe in using those settings on W2K. Doesn't
> sound like it could hurt, especially if you test it and can back out the
> settings if necessary.
>
>
> "Ray Secrest" <res0cu5i@verizon@net> wrote in message
> news:u1sOj5umCHA.968@TK2MSFTNGP09...
> > I'll dig a little deeper on the net and try to find a correlation
> > Thanks for the info,
> > Ray
> >
> >
> > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> > news:#c9teOumCHA.2416@TK2MSFTNGP08...
> > > IMHO, "backlog" [note that it is in "quotes" in article Q142641] is
not
> an
> > > official term. I would say it probably describes the number of half
> open
> > > pending SYN connections that a Windows computer or other device can
keep
> > in
> > > an open, pending state. In general, permitting more simultaneous open
> > > connections takes more memory and performance from the device or
> computer,
> > > but an insufficient number of possible open connections results in a
> > denial
> > > of service when the limit is reached. Hardening the OS is not a bad
> thing
> > > to do, but it's probably more effective to have a device [e.g. a
> firewall]
> > > in front of your network that can monitor for SYN floods and take one
of
> > > several possible actions to defeat the attack.
> > >
> > > I don't know of any official TCP term for this "backlog." For more
> > > information, I would just search www.google.com and
www.pcwebopedia.com
> > and
> > > all the other typical sites for the term "syn flood" or "syn-flood" as
> > well
> > > as searching a variety of firewall manufacturer web sites to see some
> > > possible ways their devices can handle them. Start with the
> manufacturer
> > of
> > > your firewall. You ARE using a firewall in front of all your
computers
> > and
> > > servers, right?
> > >
> > > Start here:
> > >
> > >
> >
>
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=syn-flood+firewall+is
> > > a+OR+cisco+OR+pix+OR+checkpoint+OR+netscreen
> > >
> > > For example, here are several ways Checkpoint Firewall-1 [and
appliances
> > > that use it, such as intrusion.com, etc] can deal with SYN floods:
> > >
> > > http://www.phoneboy.com/fom-serve/cache/153.html
> > >
> > >
> > >
> > > "Ray Secrest" <res0cu5i@verizon@net> wrote in message
> > > news:OuTcVItmCHA.2188@TK2MSFTNGP10...
> > > > Can you recommend some additional reading material for terms
> > > mentioned?
> > > > Are these general terms (different vendors use the same terms to
> > describe
> > > > the same parameter) that are covered in the RFCs. Should I start
> > looking
> > > > the TCPIP Illustrated encyclopedia?
> > > > Thanks
> > > > Ray
> > > >
> > > > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> > > > news:e7jg3$kmCHA.1604@TK2MSFTNGP08...
> > > > > Your ISP may also be able to assist here. Also a good commercial
> > > firewall
> > > > > with Syn flood protection [netscreen.com 5xp starts at $500,
> > Checkpoint,
> > > > > Intrusion.com, Nortel Contivity switch, Cisco, etc.
> > > > >
> > > > > http://securityadmin.info/faq.htm#firewall
> > > > >
> > > > >
> > > > > "Ray Secrest" <res0cu5i@verizon@net> wrote in message
> > > > > news:OcevrBkmCHA.2224@tkmsftngp02...
> > > > > > We are experiencing a large number of tcp connections (1500+)on
> our
> > > IIS
> > > > 5
> > > > > > Web servers (SP2, SRP-1 & IIS Cumulative patch + many, many hot
> > fixes)
> > > > and
> > > > > > the servers will lock up. Our IDS has reported this as either a
> > > broken
> > > > > > network (the source originates outside our nework) or a
SynAttack.
> > > The
> > > > IP
> > > > > > stack has been hardened as follows:
> > > > > > Tcpip/Parameters/SynAttackProtect 2
> > > > > > Tcpip/Parameters/TcpMaxHalfOpen 100
> > > > > > Tcpip/Parameters/TcpMaxHalfOpenRetried 80
> > > > > >
> > > > > > I was reviewing a few KB articles (Security Considerations for
> > Network
> > > > > > Attacks &Q142641). While reading these I was trying to fully
> > > understand
> > > > > > some terms mentioned but I couldn't find them on TechNet or in
> Win2k
> > > > > Server
> > > > > > ResKit. What are the Backlog parameters, are they configurable
> and
> > > what
> > > > > are
> > > > > > the recommended settings? Is this related to the Metabase
setting
> > > > > > W3svc/Server ListenBacklog (which is set to 1000)? The
> > > > > > W3svc/MaxEndPointConnections has been modified to 500 also.
> > > > > > Q142641 lists some parameters for WinNT 3.51 & NT4. Is it
> > > advisable
> > > > > to
> > > > > > use these on Win2k (heading in KB lists Win2k as applicable but
> > Win2k
> > > is
> > > > > not
> > > > > > listed in body of article)?
> > > > > > Is there additional reading for these parameters (other than
> the
> > > > > RFCs)?
> > > > > > Thanks
> > > > > > Ray
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages