TCP/IP Transmission Control Protocol/Internet Protocol

Resource: MSDN April 2005 (Microsoft Corporation Published : January 2004)

> TCPIP > Patterns&Practices > How To Harden the TCP Stack in the Windows 2000 Server

How To Harden the TCP Stack

در اینجا  برخی ازمواردی که در شبکه های TCP/IP مهم می باشد برای محافظت Server ها از حمله Hacker ها بررسی می کنیم .

تذکر : موارد شرح داده شده در زیر فقط بر روی سیستم های Windows 2000 Server قابل اجرا می باشد و باید قبل از راه اندازی سرور به آنها دقت کرد .

برای دیدن همین اطلاعات در Windows 2003 Server بر روی قسمت زیر Click کنید .

How To Harden the TCP Stack In the Windows Server 2003 - Click Here

Objectives

Use this module to:

  • Harden your server's TCP/IP stack
  • Protect your servers from Denial of Service and other network based attacks
  • Enable SYN flood protection when an attack is detected
  • Set the threshold values that are used to determine what constitutes an attack

How To Use This Module

Some of the keys and values referred to in this module may not exist by default. In those cases, create the key, value, and value data.

For more details about the TCP/IP network settings that the registry for Windows 2000 controls, see the white paper "Microsoft Windows 2000 TCP/IP Implementation Details,"

 at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/network/deploy/depovg/tcpip2k.asp

Note   These settings modify the way TCP/IP works on your server. The characteristics of your Web server will determine the best threshold to trigger denial of service countermeasures. Some values may be too restrictive for your client's connection. Test this module's recommendations before your deploy them on a production server.

برخی از موارد زیر در Registry بصورت Default وجود ندارد برای استفاده از آن موارد باید آنها را بسازید.

مواردی که  در قسمت Contents مشاهده می کنید موارد 1 تا 5 مد نظر ما می باشند .

استفاده از TCPIP برای شبکه ها و بر قراری ارتباط سیستم ها با یکدیگر لازم می باشد .TCP/IP v4 Protocol بصورت ذاتی یک Protocol نا امن و یا

Insecure می باشد.به همین دلیل Microsoft در Windows 2000 Server خود مواردی امنیتی برای این مشکل قرار داده .این موارد بصورت Key

در Registry می باشند که به برخی از مهمترین آنها می پردازیم .مواردی همچون جلوگیری از حمله های مختلف مانند  Denial of Service که شامل

SYN Attack و ICMP Attack و SNMP Attack می باشد .می توان گفت این نوع حمله ها از خطرناک ترین و رایج ترین حمله ها

می باشد مخصوصا SYN Attack.

What You Must Know

شما می توانید  با تغییراتی در پارامتر های مختلف در Registry سیستم عامل سرور خود از حمله های Denial of Service که در بالا گفته شد جلوگیری کنید .

You can configure registry keys to:
  1. Enable SYN flood protection when an attack is detected.
  2. Set threshold values that are used to determine what constitutes an attack

می توان تنظیم کرد که  سیستم از حمله SYN Attack در زمانی که باخبر شد جلوگیری کند .

Protect Against SYN Attacks

این نوع روش حمله  بدلیل آسیب پذیری Protocol مربوطه یعنی TCP/IP بسیار رواج دارد و بدین صورت می باشد که Attacker یا همان

فرد حمله کننده تعداد زیادی از TCP SYN Request به سرور ارسال می کند و موجب ایجاد صف طولانی Packet در پشت کارت شبکه می شود .

این کار را Hacker توسط برنامه های مختلفی می تواند انجام دهد نتیجه این حمله این می باشد که دیگر User های شبکه نمی توانند یک Connection با سرور

بر قرار کنند یا در اصطلاح Establish کنند.در نتیجه سرویسی که از سرور می خواهند بگیرند در اصطلاح Denial می شود که همان(Denial of Service (DoS می باشد

برای اطلاعات بیشتر در مورد SYN Packet به قسمت Decoding TCP/IP  رجوع کنید.

در قشمت زیر مشاهده می کنید که می توان در Registry یک Value ایجاد کرد بنام SynAttackProtect و مقدار دهی کرد .

 
1.Enable SYN Attack Protection

The named value to enable SYN attack protection is located beneath the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

Value name: SynAttackProtect

Recommended value: 2

Valid values: 0–2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

زمانی که عدد 2 را وراد کردید سیستم اگر حمله SYN Attack شروع شود در جواب Time out می دهد. سیستم چگونه متوجه می شود که حمله رخ داده اگر

تعداد دریافتی SYN Packet از یک یا چند فرد بیشتر از تعداد مشخص شده در دو Value ینامهای TcpMaxHalfOpen or TcpMaxHalfOpenRetried باشد.

سیستم این امر را حمله در نظر می گیرد .

2.Set SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. These keys and values are:

  • Value name: TcpMaxPortsExhausted

    Recommended value: 5

    Valid values: 0–65535

    Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

  • Value name: TcpMaxHalfOpen

    Recommended value data: 500

    Valid values: 100–65535

    Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

  • Value name: TcpMaxHalfOpenRetried

    Recommended value data: 400

    Valid values: 80–65535

    Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.

در قسمت Set Additional Protections می توانید برخی دیگر از موارد موجود در Registry را مشاهده کنید .

 
Set Additional Protections
All the keys and values in this section are located under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. These keys and values are:
  • Value name: TcpMaxConnectResponseRetransmissions

    Recommended value data: 2

    Valid values: 0–255

    Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

  • Value name: TcpMaxDataRetransmissions

    Recommended value data: 2

    Valid values: 0–65535

    Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

  • Value name: EnablePMTUDiscovery

    Recommended value data: 0

    Valid values: 0, 1

    Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack. Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

  • Value name: KeepAliveTime

    Recommended value data: 300000

    Valid values: 80–4294967295

    Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

  • Value name: NoNameReleaseOnDemand

    Recommended value data: 1

    Valid values: 0, 1

    Description: Specifies to not release the NetBIOS name of a computer when it receives a name-release request.

Use the values that are summarized in Table 1 for maximum protection.

Table 1: Recommended Values

Value Name Value (REG_DWORD)
SynAttackProtect 2
TcpMaxPortsExhausted 1
TcpMaxHalfOpen 500
TcpMaxHalfOpenRetried 400
TcpMaxConnectResponseRetransmissions 2
TcpMaxDataRetransmissions 2
EnablePMTUDiscovery 0
KeepAliveTime 300000 (5 minutes)
NoNameReleaseOnDemand 1
 
Protect Against ICMP Attacks

برای جلوگیری از این نوع حمله نیز در آدرس زیر باید Valueمشخص شده را برابر با صفر قرار دهید .

The named value in this section is under the registry key HKLM\System\CurrentControlSet\Services\AFD\Parameters

Value: EnableICMPRedirect

Recommended value data: 0

Valid values: 0 (disabled), 1 (enabled)

Description: Modifying this registry value to 0 prevents the creation of expensive host routes when an ICMP redirect packet is received.

Use the value summarized in Table 2 for maximum protection.

Table 2: Recommended Values

Value Name Value (REG_DWORD)
EnableICMPRedirect 0
 
 
Protect Against SNMP Attacks

برای جلوگیری از این نوع حمله نیز در آدرس زیر باید Valueمشخص شده را برابر با صفر قرار دهید .

The named value in this section is located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters.

Value: EnableDeadGWDetect

Recommended value data: 0

Valid values: 0 (disabled), 1, (enabled)

Description: Prevents an attacker from forcing the switching to a secondary gateway

Use the value summarized in Table 3 for maximum protection.

Table 3: Recommended Values

Name Value (REG_DWORD)
EnableDeadGWDetect 0
 
 
AFD.SYS Protections

The following keys specify parameters for the kernel mode driver Afd.sys. Afd.sys is used to support Windows sockets applications. All of the keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\AFD\Parameters. These keys and values are:

  • Value: EnableDynamicBacklog

    Recommended value data: 1

    Valid values: 0 (disabled), 1 (enabled)

    Description: Specifies AFD.SYS functionality to withstand large numbers of SYN_RCVD connections efficiently. For more information, see "Internet Server Unavailable Because of Malicious SYN Attacks," at http://support.microsoft.com/default.aspx?scid=kb;en-us;142641.

  • Value name: MinimumDynamicBacklog

    Recommended value data: 20

    Valid values: 0–4294967295

    Description: Specifies the minimum number of free connections allowed on a listening endpoint. If the number of free connections drops below this value, a thread is queued to create additional free connections.

  • Value name: MaximumDynamicBacklog

    Recommended value data: 20000

    Valid values: 0–4294967295

    Description: Specifies the maximum total amount of both free connections plus those in the SYN_RCVD state.

  • Value name: DynamicBacklogGrowthDelta

    Recommended value data: 10

    Valid values: 0–4294967295

    Present by default: No

    Description: Specifies the number of free connections to create when additional connections are necessary.

Use the values summarized in Table 4 for maximum protection.

Table 4: Recommended Values

Value Name Value (REG_DWORD)
EnableDynamicBacklog 1
MinimumDynamicBacklog 20
MaximumDynamicBacklog 20000
DynamicBacklogGrowthDelta 10

 

Additional Protections

All of the keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters.

Protect Screened Network Details

Network Address Translation (NAT) is used to screen a network from incoming connections. An attacker can circumvent this screen to determine the network topology using IP source routing.

Value: DisableIPSourceRouting

Recommended value data: 1

Valid values: 0 (forward all packets), 1 (do not forward Source Routed packets), 2 (drop all incoming source routed packets).

Description: Disables IP source routing, which allows a sender to determine the route a datagram should take through the network.

Avoid Accepting Fragmented Packets

Processing fragmented packets can be expensive. Although it is rare for a denial of service to originate from within the perimeter network, this setting prevents the processing of fragmented packets.

Value: EnableFragmentChecking

Recommended value data: 1

Valid values: 0 (disabled), 1 (enabled)

Description: Prevents the IP stack from accepting fragmented packets.

Do Not Forward Packets Destined for Multiple Hosts

Multicast packets may be responded to by multiple hosts, resulting in responses that can flood a network.

Value: EnableMulticastForwarding

Recommended value data: 0

Valid range: 0 (false), 1 (true)

Description: The routing service uses this parameter to control whether or not IP multicasts are forwarded. This parameter is created by the Routing and Remote Access Service.

Only Firewalls Forward Packets Between Networks

A multi-homed server must not forward packets between the networks it is connected to. The obvious exception is the firewall.

Value: IPEnableRouter

Recommended value data: 0

Valid range: 0 (false), 1 (true)

Description: Setting this parameter to 1 (true) causes the system to route IP packets between the networks to which it is connected.

Mask Network Topology Details

The subnet mask of a host can be requested using ICMP packets. This disclosure of information by itself is harmless; however, the responses of multiple hosts can be used to build knowledge of the internal network.

Value: EnableAddrMaskReply

Recommended value data: 0

Valid range: 0 (false), 1 (true)

Description: This parameter controls whether the computer responds to an ICMP address mask request.

Use the values summarized in Table 4 for maximum protection.

Table 5: Recommended Values

Value Name Value (REG_DWORD)
DisableIPSourceRouting 1
EnableFragmentChecking 1
EnableMulticastForwarding 0
IPEnableRouter 0
EnableAddrMaskReply 0

 

Pitfalls

When testing the changes of these values, test against the network volumes you expect in production. These settings modify the thresholds of what is considered normal and are deviating from the tested defaults. Some may be too narrow to support clients reliably if the connection speed from clients varies greatly.

Additional Resources

Harden-it Application

تنظیماتی که در بالا گفته شد را می توان توسط نرم افزار Harden-it انجام داد بصورت Wizard .

این نرم افزار را می توانید با نام های مختلف در Internet پیدا کنید نرم افزار فوق در سایت Webattack.com در دسترس می باشد.

Figure 1.1 : Harden-it Application (Wizard)

Figure 1.1 : Harden-it Application (Wizard)

این Wizard تمامی Registry هایی که در بالا گفته شد را تغییر می دهد به خواست Admin.

 

TCP/IP Transmission Control Protocol/Internet Protocol

LastUpdate:2005/08/15

> TCPIP > Patterns&Practices > How To Harden the TCP Stack in the Windows 2000 Server