Solved

windows servers and syn flood attacks

Posted on 2011-03-15
6
3,707 Views
Last Modified: 2012-05-11
I would like to know how resilient a Windows server is to TCP SYN flood attacks. I know modern Linux kernels have SYN cookies which makes it pretty much invincible to SYN flood, but Windows seem to lack this feature. So my question is: now to determine how many packets per seconds an attacker would need to send to disrupt a service?

I have found information about how to harden the network stack http://support.microsoft.com/kb/324270. Ok, it makes the server more resilient to an attack, but how resilient?
0
Comment
Question by:gremwell
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:Melannk24
Comment Utility
Each environment is going to be different.  For example, most properly configured firewalls will recognize a SYN flood, even a throttled one and drop packets.  However, if enough connections are thrown at any network without upstream mitigation (intervention from the ISP) will get DDoS'd.  

You speak of Windows, many MS Windows environments use MS ISA Server as a web proxy and firewall solution.  By default, ISA Server limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections.

So depending on the Windows OS installed, firewall solutions in place (both HW and SW) and any other kind of in-depth security services running will all play a part in how your production servers respond to being attacked via SYN flood.
0
 
LVL 3

Author Comment

by:gremwell
Comment Utility
Thank you for your feedback, but my question is about Windows Server, not ISA nor other possible components of the network infrastructure.
0
 
LVL 3

Author Comment

by:gremwell
Comment Utility
In fact I am looking for information about resilience of Windows Server to SYN flood to be able to fine tune SYN flood protection threshold on the firewall. I need to know what is the safe TCP SYN rate the firewall can pass through to Windows Server before it has to activate SYN flood protection. The protection feature on the firewall has a performance impact, so it is not desirable to have it active all the time.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 61

Expert Comment

by:btan
Comment Utility
SYN cookies protection is especially useful when the system is under a SYN flood attack and source IP addresses of SYN packets are also forged (a SYN spoofing attack ).

For windows, in general , when a SYN attack is detected the SynAttackProtect parameter changes the behavior of the TCP /IP stack. This allows the operating system to handle more SYN requests . It works by disabling some socket options , adding additional delays to connection indications and changing the timeout for connection requests.

It is important to note that the SYN cookie mechanism works by not using the backlog queue at all , so we don 't need to change the backlog queue size. The windows works on threshold setting though. SYN cookie is seen as stateless as the state is embedded in the TCB packet which in a way is self contained, just that host need to be able to interpret. Both linux and windows have baclog adjustment on the TCP stack.

Therefore, the differentiating is use of SYNcookie which Windows does not have. see this mechanism more worthy but nonetheles depending on deployment and resource available, the threshold approach may suffice for first layer and the cookie act as second layer.

Nonetheless, we should note that success of such attack is Three important attack parameters for attaing higher chances of success are the size of the barrage, the frequency with which barrages are generated, and the means of selecting IP addresses to spoof. Syncookies would manage those.

check out this link
http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks
0
 
LVL 6

Accepted Solution

by:
Melannk24 earned 500 total points
Comment Utility
I have never seen a defined "rate" number out there.  I think this is something you would have to test yourself and there are a ton of tools out there to test your own security settings.

Don't know if you are member of TechNet, but it's a great resource for Windows wisdom.  See below:

Syn attack protection on Windows Vista, Windows 2008, Windows 7 and Windows 2008 R2
MuratKa1
1 Jun 2010 1:08 AM

    * Comments 4

Hi,

In this blog entry, I wanted to talk about some changes made in Syn attack protection on Windows Vista onwards systems.

Syn attack protection has been in place since Windows 2000 and is enabled by default since Windows 2003/SP1. In the earlier implementation (Windows 2000/Windows 2003), syn attack protection mechanism was configurable via various registry keys (like SynAttackProtect, TcpMaxHalfOpen, TcpMaxHalfOpenRetried, TcpMaxPortsExhausted). With this previous version of syn attack protection, TCPIP stack starts dropping new connection requests when the threshold values are met regardless of how much system memory or CPU power available to the system. As of Windows Vista and onwards (Vista/2008/Win 7/2008 R2), syn attack protection algorithm has been changed in the following ways:

1) SynAttack protection is enabled by default and cannot be disabled!
 
2) SynAttack protection dynamically calculates the thresholds (of when it considers an attack has started) based on the number of CPU cores and memory available and hence it doesn’t expose any configurable parameters via registry, netsh etc.
 
3) Since TCPIP driver goes into attack state based on the number of CPU cores and the amount of memory available, systems with more resources will start dropping new connection attempts later compared to systems with less resources. That was hard-coded (as per the configured registry settings) on pre-Vista systems where the system was moved to attack state regardless of how much resources were available to the system. The new algorithm eliminates the need of any fine tuning and TCPIP stack will self-tune to best values possible depending on the available resources.

Hope this helps

Thanks,
Murat
0
 
LVL 3

Author Comment

by:gremwell
Comment Utility
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

OfficeMate Freezes on login or does not load after login credentials are input.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now