Windows 2000/2003 SYN DoS Attack Protection

On Windows 2000 and 2003 the system administrator can enable a SYN
Attack protection mechanism on the TCP/IP by adding the value
SynAttackProtect in the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
If the value of SynAttackProtect is 2
the TCP/IP stack notifies a listening socket only when the 3-way
handshake has been completed and tracks the ongoing 3-way handshakes by
storing them in an hash table. This way the backlog of the socket is
defended from the SYN floods attacks.

The vulnerability resides in the hash table management, in fact the
hash function used by the TCP/IP stack works only on some fields of the
incoming SYN packet and is thus predictable. An attacker can generate a
large number of SYN packets with the same hash value to target the same
hash table bucket. When the victim machine receives them, it stores
them in just one bucket of the hash table. The chain attached to this
bucket keeps growing, and the more it grows, the slower the lookup
algorithm becomes.

From SecuriTeam.


Author: Xavier Ashe

Entrepreneur, Infosec Executive, CISSP, CISM, Ironman triathlete, traveler, UU, paleo, father of 8, goyishe, gamer, & geek.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s