Solved

windows servers and syn flood attacks

Posted on 2011-03-15
6
3,786 Views
Last Modified: 2012-05-11
I would like to know how resilient a Windows server is to TCP SYN flood attacks. I know modern Linux kernels have SYN cookies which makes it pretty much invincible to SYN flood, but Windows seem to lack this feature. So my question is: now to determine how many packets per seconds an attacker would need to send to disrupt a service?

I have found information about how to harden the network stack http://support.microsoft.com/kb/324270. Ok, it makes the server more resilient to an attack, but how resilient?
0
Comment
Question by:gremwell
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:Melannk24
ID: 35148020
Each environment is going to be different.  For example, most properly configured firewalls will recognize a SYN flood, even a throttled one and drop packets.  However, if enough connections are thrown at any network without upstream mitigation (intervention from the ISP) will get DDoS'd.  

You speak of Windows, many MS Windows environments use MS ISA Server as a web proxy and firewall solution.  By default, ISA Server limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections.

So depending on the Windows OS installed, firewall solutions in place (both HW and SW) and any other kind of in-depth security services running will all play a part in how your production servers respond to being attacked via SYN flood.
0
 
LVL 3

Author Comment

by:gremwell
ID: 35148058
Thank you for your feedback, but my question is about Windows Server, not ISA nor other possible components of the network infrastructure.
0
 
LVL 3

Author Comment

by:gremwell
ID: 35148099
In fact I am looking for information about resilience of Windows Server to SYN flood to be able to fine tune SYN flood protection threshold on the firewall. I need to know what is the safe TCP SYN rate the firewall can pass through to Windows Server before it has to activate SYN flood protection. The protection feature on the firewall has a performance impact, so it is not desirable to have it active all the time.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 62

Expert Comment

by:btan
ID: 35148153
SYN cookies protection is especially useful when the system is under a SYN flood attack and source IP addresses of SYN packets are also forged (a SYN spoofing attack ).

For windows, in general , when a SYN attack is detected the SynAttackProtect parameter changes the behavior of the TCP /IP stack. This allows the operating system to handle more SYN requests . It works by disabling some socket options , adding additional delays to connection indications and changing the timeout for connection requests.

It is important to note that the SYN cookie mechanism works by not using the backlog queue at all , so we don 't need to change the backlog queue size. The windows works on threshold setting though. SYN cookie is seen as stateless as the state is embedded in the TCB packet which in a way is self contained, just that host need to be able to interpret. Both linux and windows have baclog adjustment on the TCP stack.

Therefore, the differentiating is use of SYNcookie which Windows does not have. see this mechanism more worthy but nonetheles depending on deployment and resource available, the threshold approach may suffice for first layer and the cookie act as second layer.

Nonetheless, we should note that success of such attack is Three important attack parameters for attaing higher chances of success are the size of the barrage, the frequency with which barrages are generated, and the means of selecting IP addresses to spoof. Syncookies would manage those.

check out this link
http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks
0
 
LVL 6

Accepted Solution

by:
Melannk24 earned 500 total points
ID: 35148289
I have never seen a defined "rate" number out there.  I think this is something you would have to test yourself and there are a ton of tools out there to test your own security settings.

Don't know if you are member of TechNet, but it's a great resource for Windows wisdom.  See below:

Syn attack protection on Windows Vista, Windows 2008, Windows 7 and Windows 2008 R2
MuratKa1
1 Jun 2010 1:08 AM

    * Comments 4

Hi,

In this blog entry, I wanted to talk about some changes made in Syn attack protection on Windows Vista onwards systems.

Syn attack protection has been in place since Windows 2000 and is enabled by default since Windows 2003/SP1. In the earlier implementation (Windows 2000/Windows 2003), syn attack protection mechanism was configurable via various registry keys (like SynAttackProtect, TcpMaxHalfOpen, TcpMaxHalfOpenRetried, TcpMaxPortsExhausted). With this previous version of syn attack protection, TCPIP stack starts dropping new connection requests when the threshold values are met regardless of how much system memory or CPU power available to the system. As of Windows Vista and onwards (Vista/2008/Win 7/2008 R2), syn attack protection algorithm has been changed in the following ways:

1) SynAttack protection is enabled by default and cannot be disabled!
 
2) SynAttack protection dynamically calculates the thresholds (of when it considers an attack has started) based on the number of CPU cores and memory available and hence it doesn’t expose any configurable parameters via registry, netsh etc.
 
3) Since TCPIP driver goes into attack state based on the number of CPU cores and the amount of memory available, systems with more resources will start dropping new connection attempts later compared to systems with less resources. That was hard-coded (as per the configured registry settings) on pre-Vista systems where the system was moved to attack state regardless of how much resources were available to the system. The new algorithm eliminates the need of any fine tuning and TCPIP stack will self-tune to best values possible depending on the available resources.

Hope this helps

Thanks,
Murat
0
 
LVL 3

Author Comment

by:gremwell
ID: 35152935
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question