Solved

windows servers and syn flood attacks

Posted on 2011-03-15
6
3,940 Views
Last Modified: 2012-05-11
I would like to know how resilient a Windows server is to TCP SYN flood attacks. I know modern Linux kernels have SYN cookies which makes it pretty much invincible to SYN flood, but Windows seem to lack this feature. So my question is: now to determine how many packets per seconds an attacker would need to send to disrupt a service?

I have found information about how to harden the network stack http://support.microsoft.com/kb/324270. Ok, it makes the server more resilient to an attack, but how resilient?
0
Comment
Question by:gremwell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:Melannk24
ID: 35148020
Each environment is going to be different.  For example, most properly configured firewalls will recognize a SYN flood, even a throttled one and drop packets.  However, if enough connections are thrown at any network without upstream mitigation (intervention from the ISP) will get DDoS'd.  

You speak of Windows, many MS Windows environments use MS ISA Server as a web proxy and firewall solution.  By default, ISA Server limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections.

So depending on the Windows OS installed, firewall solutions in place (both HW and SW) and any other kind of in-depth security services running will all play a part in how your production servers respond to being attacked via SYN flood.
0
 
LVL 3

Author Comment

by:gremwell
ID: 35148058
Thank you for your feedback, but my question is about Windows Server, not ISA nor other possible components of the network infrastructure.
0
 
LVL 3

Author Comment

by:gremwell
ID: 35148099
In fact I am looking for information about resilience of Windows Server to SYN flood to be able to fine tune SYN flood protection threshold on the firewall. I need to know what is the safe TCP SYN rate the firewall can pass through to Windows Server before it has to activate SYN flood protection. The protection feature on the firewall has a performance impact, so it is not desirable to have it active all the time.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 64

Expert Comment

by:btan
ID: 35148153
SYN cookies protection is especially useful when the system is under a SYN flood attack and source IP addresses of SYN packets are also forged (a SYN spoofing attack ).

For windows, in general , when a SYN attack is detected the SynAttackProtect parameter changes the behavior of the TCP /IP stack. This allows the operating system to handle more SYN requests . It works by disabling some socket options , adding additional delays to connection indications and changing the timeout for connection requests.

It is important to note that the SYN cookie mechanism works by not using the backlog queue at all , so we don 't need to change the backlog queue size. The windows works on threshold setting though. SYN cookie is seen as stateless as the state is embedded in the TCB packet which in a way is self contained, just that host need to be able to interpret. Both linux and windows have baclog adjustment on the TCP stack.

Therefore, the differentiating is use of SYNcookie which Windows does not have. see this mechanism more worthy but nonetheles depending on deployment and resource available, the threshold approach may suffice for first layer and the cookie act as second layer.

Nonetheless, we should note that success of such attack is Three important attack parameters for attaing higher chances of success are the size of the barrage, the frequency with which barrages are generated, and the means of selecting IP addresses to spoof. Syncookies would manage those.

check out this link
http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks
0
 
LVL 6

Accepted Solution

by:
Melannk24 earned 500 total points
ID: 35148289
I have never seen a defined "rate" number out there.  I think this is something you would have to test yourself and there are a ton of tools out there to test your own security settings.

Don't know if you are member of TechNet, but it's a great resource for Windows wisdom.  See below:

Syn attack protection on Windows Vista, Windows 2008, Windows 7 and Windows 2008 R2
MuratKa1
1 Jun 2010 1:08 AM

    * Comments 4

Hi,

In this blog entry, I wanted to talk about some changes made in Syn attack protection on Windows Vista onwards systems.

Syn attack protection has been in place since Windows 2000 and is enabled by default since Windows 2003/SP1. In the earlier implementation (Windows 2000/Windows 2003), syn attack protection mechanism was configurable via various registry keys (like SynAttackProtect, TcpMaxHalfOpen, TcpMaxHalfOpenRetried, TcpMaxPortsExhausted). With this previous version of syn attack protection, TCPIP stack starts dropping new connection requests when the threshold values are met regardless of how much system memory or CPU power available to the system. As of Windows Vista and onwards (Vista/2008/Win 7/2008 R2), syn attack protection algorithm has been changed in the following ways:

1) SynAttack protection is enabled by default and cannot be disabled!
 
2) SynAttack protection dynamically calculates the thresholds (of when it considers an attack has started) based on the number of CPU cores and memory available and hence it doesn’t expose any configurable parameters via registry, netsh etc.
 
3) Since TCPIP driver goes into attack state based on the number of CPU cores and the amount of memory available, systems with more resources will start dropping new connection attempts later compared to systems with less resources. That was hard-coded (as per the configured registry settings) on pre-Vista systems where the system was moved to attack state regardless of how much resources were available to the system. The new algorithm eliminates the need of any fine tuning and TCPIP stack will self-tune to best values possible depending on the available resources.

Hope this helps

Thanks,
Murat
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question