Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

windows servers and syn flood attacks

Posted on 2011-03-15
6
Medium Priority
?
4,058 Views
Last Modified: 2012-05-11
I would like to know how resilient a Windows server is to TCP SYN flood attacks. I know modern Linux kernels have SYN cookies which makes it pretty much invincible to SYN flood, but Windows seem to lack this feature. So my question is: now to determine how many packets per seconds an attacker would need to send to disrupt a service?

I have found information about how to harden the network stack http://support.microsoft.com/kb/324270. Ok, it makes the server more resilient to an attack, but how resilient?
0
Comment
Question by:gremwell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:Melannk24
ID: 35148020
Each environment is going to be different.  For example, most properly configured firewalls will recognize a SYN flood, even a throttled one and drop packets.  However, if enough connections are thrown at any network without upstream mitigation (intervention from the ISP) will get DDoS'd.  

You speak of Windows, many MS Windows environments use MS ISA Server as a web proxy and firewall solution.  By default, ISA Server limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections.

So depending on the Windows OS installed, firewall solutions in place (both HW and SW) and any other kind of in-depth security services running will all play a part in how your production servers respond to being attacked via SYN flood.
0
 
LVL 3

Author Comment

by:gremwell
ID: 35148058
Thank you for your feedback, but my question is about Windows Server, not ISA nor other possible components of the network infrastructure.
0
 
LVL 3

Author Comment

by:gremwell
ID: 35148099
In fact I am looking for information about resilience of Windows Server to SYN flood to be able to fine tune SYN flood protection threshold on the firewall. I need to know what is the safe TCP SYN rate the firewall can pass through to Windows Server before it has to activate SYN flood protection. The protection feature on the firewall has a performance impact, so it is not desirable to have it active all the time.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 64

Expert Comment

by:btan
ID: 35148153
SYN cookies protection is especially useful when the system is under a SYN flood attack and source IP addresses of SYN packets are also forged (a SYN spoofing attack ).

For windows, in general , when a SYN attack is detected the SynAttackProtect parameter changes the behavior of the TCP /IP stack. This allows the operating system to handle more SYN requests . It works by disabling some socket options , adding additional delays to connection indications and changing the timeout for connection requests.

It is important to note that the SYN cookie mechanism works by not using the backlog queue at all , so we don 't need to change the backlog queue size. The windows works on threshold setting though. SYN cookie is seen as stateless as the state is embedded in the TCB packet which in a way is self contained, just that host need to be able to interpret. Both linux and windows have baclog adjustment on the TCP stack.

Therefore, the differentiating is use of SYNcookie which Windows does not have. see this mechanism more worthy but nonetheles depending on deployment and resource available, the threshold approach may suffice for first layer and the cookie act as second layer.

Nonetheless, we should note that success of such attack is Three important attack parameters for attaing higher chances of success are the size of the barrage, the frequency with which barrages are generated, and the means of selecting IP addresses to spoof. Syncookies would manage those.

check out this link
http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks
0
 
LVL 6

Accepted Solution

by:
Melannk24 earned 2000 total points
ID: 35148289
I have never seen a defined "rate" number out there.  I think this is something you would have to test yourself and there are a ton of tools out there to test your own security settings.

Don't know if you are member of TechNet, but it's a great resource for Windows wisdom.  See below:

Syn attack protection on Windows Vista, Windows 2008, Windows 7 and Windows 2008 R2
MuratKa1
1 Jun 2010 1:08 AM

    * Comments 4

Hi,

In this blog entry, I wanted to talk about some changes made in Syn attack protection on Windows Vista onwards systems.

Syn attack protection has been in place since Windows 2000 and is enabled by default since Windows 2003/SP1. In the earlier implementation (Windows 2000/Windows 2003), syn attack protection mechanism was configurable via various registry keys (like SynAttackProtect, TcpMaxHalfOpen, TcpMaxHalfOpenRetried, TcpMaxPortsExhausted). With this previous version of syn attack protection, TCPIP stack starts dropping new connection requests when the threshold values are met regardless of how much system memory or CPU power available to the system. As of Windows Vista and onwards (Vista/2008/Win 7/2008 R2), syn attack protection algorithm has been changed in the following ways:

1) SynAttack protection is enabled by default and cannot be disabled!
 
2) SynAttack protection dynamically calculates the thresholds (of when it considers an attack has started) based on the number of CPU cores and memory available and hence it doesn’t expose any configurable parameters via registry, netsh etc.
 
3) Since TCPIP driver goes into attack state based on the number of CPU cores and the amount of memory available, systems with more resources will start dropping new connection attempts later compared to systems with less resources. That was hard-coded (as per the configured registry settings) on pre-Vista systems where the system was moved to attack state regardless of how much resources were available to the system. The new algorithm eliminates the need of any fine tuning and TCPIP stack will self-tune to best values possible depending on the available resources.

Hope this helps

Thanks,
Murat
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question