From a correct view of DoS and DDOS Speaking
I believe we are certainly not unfamiliar to both the word, yes, denial of service attacks (Denial of Service), and distributed denial of service attacks (Distributed Denial Of Service).
so-called denial of service, refers to the specific attack occurred, the object of attack fail to provide the necessary services, such as should have been providing web services (HTTP Service) can not provide web services, e-mail server ( SMTP, POP3) can not provide the function of sending and receiving mail, etc. Basically, blocking service attacks usually utilize a large number of network data packets to smash the network and host of the other party, so that normal users cannot obtain timely service from the host.
distributed denial of service, simply means that consumption available systems, and network bandwidth by far exceeding the target of massive packet processing power, resulting in paralysis of network services.
and perhaps overly concerned about the media, DoS attacks DDOS attacks especially, seem to pop up overnight, they engage in the large and small network, as long as there is a server failure, exceptionally excited Shouting "I was DDOS!", the face seems to write incomparable glory and pride.
In fact, around us, DDoS in the true sense is not that, after all, very many resources needed to launch a DDOS attack, but the real attack but kept the place in which Inside, the vast majority are ordinary denial of service attacks. Ordinary level of attacks, how to protect, has become the most headaches of many network administrators, so I have to ask around, the results are often the same, "buy our hardware firewall."
hardware firewall, including special anti-denial of service attacks product is really good, but the basic prices are very expensive, although the effect is good, and the protection of investment from the investment point of view, a bit overdone.
In fact, from the operating system point of view, itself in possession of a lot of features, but many are slowly we need to mining. Here I will give you a brief introduction on how to modify the registry in the Win2000 environment to enhance the system's anti-DOS capabilities.
Details:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MacHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]
Close the check of invalid gateway. When the server is set up with multiple gateways, the system will try to connect to the second gateway when the network is not smooth, and the network can be optimized by turning it off.
"EnableDeadGWDetect"=dWord:00000000
Disable response to ICMP redirect messages. Such packets may be used for attacks, so the system should refuse to accept ICMP redirect messages.
"EnableICMPRedirects"=dWord:00000000
It is not allowed to release the NETBIOS name. When the attacker issues a request to query the server NETB iOS name, the server can be disabled.
Note that the system must be installed above SP2
"NoNameReleaSEOnDemand"=dWord:00000001
Send verification keep-alive packets. This option determines how long the TCP interval is to determine that the current connection is still connected. If the value is not set, the system checks whether the TCP has an idle connection every 2 hours. The setting time is 5 minutes.
"KeepAliveTime"=dWord:000493e0
The maximum packet length path detection is prohibited. When the value is 1, the size of the data packet that can be transmitted is automatically detected, which can be used to improve the transmission efficiency. If the fault occurs or is safe, the value of the item is 0, indicating that the fixed MTU value is 576 bytes.
"EnablePMTUDiscovery"=dWord:00000000
Starts syn attack protection. The default value is 0, which means that attack protection is not enabled. If the value is 1 and 2, the syn attack protection is enabled. After the setting is 2, the security level is higher. If the attack is considered to be an attack, you need to use the following TcpMaxHalfOpen and The condition set by the TcpMaxHalfOpenRetrIEd value triggers the startup. It should be noted here that NT4.0 must be set to 1, and set to 2 will cause the system to restart under a special packet.
"SynAttackProtect"=dWord:00000002
The number of semi-joins that are allowed to open at the same time. The so-called semi-join, which means that the TCP session is not fully established, you can see the SYN_RCVD state with the netstat command. Here we use the Microsoft recommended value, the server is set to 100, and the advanced server is set to 500. The suggestion can be set slightly smaller.
"TcpMaxHalfOpen"=dWord:00000064
Determine if there is a trigger point for the attack. Here we use the Microsoft recommended value, the server is 80, and the advanced server is 400.
"TcpMaxHalfOpenRetrIEd"=dWord:00000050
Set the time to wait for SYN-ACK. The default value is 3, which defaults to 45 seconds. The item value is 2 and the elapsed time is 21 seconds. The item value is 1 and the elapsed time is 9 seconds. The minimum can be set to 0, which means no waiting, and the consumption time is 3 seconds. This value can be modified based on the size of the attack. Microsoft site security recommendation is 2.
"TcpMaxConnectResponseRetransmissions"=dWord:00000001
Sets the number of times TCP retransmits a single data segment. The default value is 5, which defaults to 240 seconds. Microsoft site security is recommended as 3.
"TcpMaxDataRetransmissions"=dWord:00000003
Set the critical point of syn attack protection. When the available backlog becomes 0, this parameter is used to control the opening of the syn attack protection. The Microsoft site security recommendation is 5.
"TCPMaxPortsExhausted"=dWord:00000005
Disable IP source routing. If the default value is 1, it means that the source route packet is not forwarded. If the value of the entry is 0, it means all forwarding. If it is set to 2, it means discarding all the accepted source routing packets. The Microsoft site security recommendation is 2.
"DisableIPSourceRouting"=dWord:0000002
Limit the maximum time in the TIME_WAIT state. The default is 240 seconds, the minimum is 30 seconds, and the maximum is 300 seconds. It is recommended to set to 30 seconds.
"TcpTimedWaitDelay"=dWord:0000001e
[HKEY_LOCAL_MacHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters]
Increase the increase in the connection block of NetBT. The default is 3, the range is 1-20. The larger the value, the higher the performance when the connection is more. Each connection block consumes 87 bytes.
"BacklogIncrement"=dWord:00000003
The maximum number of NetBT connections. The range is 1-40000, set to 1000 here. The larger the value, the more connections are allowed when there are more connections.
"MaxConnBackLog"=dWord:000003e8
[HKEY_LOCAL_MacHINE\\SYSTEM\\CurrentControlSet\\Services\\Afd\\Parameters]
Configure to activate the dynamic Backlog. For systems with heavy network or SYN attacks, it is recommended to set it to 1, indicating that dynamic backlogs are allowed.
"EnableDynamicBacklog"=dWord:00000001
Configure the minimum dynamic Backlog. The default value is 0, which indicates the minimum number of free connections that the dynamic Backlog allocates. When the number of free connections is less than this number, the free connections are automatically assigned. The default value is 0. For systems with heavy network or SYN attacks, the recommended setting is 20.
"MinimumDynamicBacklog"=dWord:00000014
Maximum dynamic Backlog. Indicates the maximum number of "quasi" connections, mainly depending on the size of the memory. The theoretical maximum of 5000M memory can be increased by 5000, which is set to 20000.
"MaximumDynamicBacklog"=dWord:00002e20
Add free connection data each time. The default value is 5, which means that the number of free connections added each time is defined. For systems with heavy network or vulnerable to SYN attacks, it is recommended to set it to 10.
"DynamicBacklogGrowthDelta"=dWord:0000000a
The following sections need to be manually modified according to the actual situation
[HKEY_LOCAL_MacHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]
< BR> Enable security filtering on the network card
"EnableSecurityFilters"=dWord:00000001
The number of TCP connections opened at the same time, which can be controlled according to the situation.
"TcpNumConnections"=
This parameter controls the size limit of the TCP header table. On machines with a lot of RAM, increasing this setting can improve responsiveness during a SYN attack.
"TcpMaxSendFree"=
[HKEY_LOCAL_MacHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters
\\Interfaces\\{Own NIC interface}]
Route discovery is disabled. ICMP route advertisement packets can be used to add routing table records, which can cause attacks, so route discovery is prohibited.
"PerformRouterDiscovery"=dWord:00000000