Attack protection mechanism on the TCP/IP by adding the value
SynAttackProtect in the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
If the value of SynAttackProtect is 2
the TCP/IP stack notifies a listening socket only when the 3-way
handshake has been completed and tracks the ongoing 3-way handshakes by
storing them in an hash table. This way the backlog of the socket is
defended from the SYN floods attacks.
The vulnerability resides in the hash table management, in fact the
hash function used by the TCP/IP stack works only on some fields of the
incoming SYN packet and is thus predictable. An attacker can generate a
large number of SYN packets with the same hash value to target the same
hash table bucket. When the victim machine receives them, it stores
them in just one bucket of the hash table. The chain attached to this
bucket keeps growing, and the more it grows, the slower the lookup