Virtual host security settings (2)

7. How to enhance the ability of iis to defend against SYN Flood?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]

Start syn attack protection. If the default value is 0, the attack protection is not enabled. The value of 1 and 2 indicates that the attack protection is enabled. After the setting is 2, the security level is higher. The startup needs to be triggered according to the conditions set by the following TcpMaxHalfOpen and TcpMaxHalfOpenRetried values

. It should be noted here that NT4.0 must be set to 1, and set to 2 will cause the system to restart under a special packet.

"SynAttackProtect"=dword:00000002

The number of semi-joins that are allowed to open at the same time. The so-called semi-join means that the TCP session is not fully established. You can see that the SYN_RCVD state is

with the netstat command. Here we use the Microsoft recommended value, the server is set to 100, and the advanced server is set to 500. The suggestion can be set slightly smaller.

"TcpMaxHalfOpen"=dword:00000064

Determine if there is a trigger point for the attack. Here we use the Microsoft recommended value, the server is 80, and the advanced server is 400.

"TcpMaxHalfOpenRetried"=dword:00000050

Set the time to wait for SYN-ACK. The default value is 3, which defaults to 45 seconds. The item value is 2 and the elapsed time is 21 seconds.

The item value is 1 and the elapsed time is 9 seconds. The minimum can be set to 0, which means no waiting, and the consumption time is 3 seconds. This value can be modified based on the size of the attack.

Microsoft Site Security is recommended as 2.

"TcpMaxConnectResponseRetransmissions"=dword:00000001

Sets the number of times TCP retransmits a single data segment. The default value is 5, which defaults to 240 seconds. Microsoft site security is recommended as 3.

"TcpMaxDataRetransmissions"=dword:00000003

Set the critical point of syn attack protection. When the available backlog becomes 0, this parameter is used to control the opening of the syn attack protection. The Microsoft site security recommendation is 5.

"TCPMaxPortsExhausted"=dword:00000005

Disable IP source routing. If the default value is 1, it means that the source route packet is not forwarded. If the value of the entry is 0, it means that all forwarding is performed. If the value is set to 2, all the accepted

source routing packets are discarded. The Microsoft site security recommendation is 2.

"DisableIPSourceRouting"=dword:0000002

Limit the maximum time in the TIME_WAIT state. The default is 240 seconds, the minimum is 30 seconds, and the maximum is 300 seconds. It is recommended to set to 30 seconds.

"TcpTimedWaitDelay"=dword:0000001e