How to protect your Windows server from SYN flood?

SYN flooding attack protection of TCP/IP (SYNAttackProtect) for Windows Servers was added as an optional security measure in Windows 2000. In that OS version, network administrators can use a host of registry keys to configure this security feature. In the Windows 2003 Service Pack 1 update however, SYN flooding attack protection was no longer optional. It has been enabled by default and could not be disabled.

  • Windows Server 2003 R2 – SYN flooding attack protection is enabled by default
  • Windows Server 2008 – SYN flooding attack protection is enabled by default but there are other registry configurations independent sources recommend to catch spoofed traffic that may slip from SYNAttackProtect:

IMPORTANT

  1. Back up your server and registry settings before you begin with any registry edits.
  2. Test the changes in a non-production environment before you apply them on your production servers.

To begin, open your registry editor and go to this registry path:

HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters

Change the values of the following data to set up the specified rules:

Rules Value Name Data Type Set Value To
To disable IP-source routed packets and stop them from being accepted DisableIPSourceRouting REG_DWORD 2
To disable all IP forwarding between interfaces IPEnableRouter REG_DWORD 0
To enable the SYN flooding attack protect function when three (3) half-open connections are detected SynAttackProtect REG_DWORD 3
To set any SYN/ACK handshake to time out at three (3) seconds and drop the connection at nine (9) seconds TcpMaxConnectResponseRetransmissions REG_DWORD 1
To limit the total number of half-open connections allowed by the system at any given time TcpMaxHalfOpen REG_DWORD 500
To fix the number of half-open connections allowed by the system at any given time TcpMaxHalfOpenRetried REG_DWORD 400
  • Windows Server 2008 R2 – To check if the SYN flooding attack protection is running, check your Event Trace Log (ETL) files and find the relevant TCP/IP entry. Use an elevated command prompt to run the said trace log:

netsh trace start capture=yes provider=Microsoft-Windows-TCPIP level=0x05 tracefile=TCPIP.etl

To stop the ETL trace, run:

netsh trace stop

For servers running Linux see also How to protect your network from IP spoofing?

See our Knowledgebase for more How To articles.

_________________________________________________________________________
Windows® is a registered trademark of Microsoft Corporation in the United States and other countries.

Comments are closed.