The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Windows 2000/2003 SYN DoS Attack Protection

Posted by Xavier Ashe on December 5, 2005

On Windows 2000 and 2003 the system administrator can enable a SYN
Attack protection mechanism on the TCP/IP by adding the value
SynAttackProtect in the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
If the value of SynAttackProtect is 2
the TCP/IP stack notifies a listening socket only when the 3-way
handshake has been completed and tracks the ongoing 3-way handshakes by
storing them in an hash table. This way the backlog of the socket is
defended from the SYN floods attacks.

The vulnerability resides in the hash table management, in fact the
hash function used by the TCP/IP stack works only on some fields of the
incoming SYN packet and is thus predictable. An attacker can generate a
large number of SYN packets with the same hash value to target the same
hash table bucket. When the victim machine receives them, it stores
them in just one bucket of the hash table. The chain attached to this
bucket keeps growing, and the more it grows, the slower the lookup
algorithm becomes.

From SecuriTeam.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: