
	Home > Freeware > DoS Inhibitor > Introduction


Home	Products	Components		Freeware		Services

Line Speed Meter

DoS Inhibitor

tcpIQ Dictionary

Hexagons

Denial of Service Attack Inhibitor

Few people know that a handful of registry settings can dramatically reduce the chances of your server falling prey to a denial of service attack (DoS). Worse, the people that do know about these settings will probably want to charge you several thousand dollars to set them for you - and then try to sell you another firewall product.

Use the form below to create a 'reg' file that will be downloaded to your computer. You should first backup your registry, inspect the reg file (just to confirm that we are not resetting your home page) and then double click on it. This will install the settings into your computer's registry. You will then need to reboot.

Types of DoS Attacks

These settings will prevent three types of DoS attack (Router Discovery spoofing, ICMP Redirects, NetBIOS Name Release On Demand) and will greatly lessen the affect of a SYN flooding. Also, the operating system will be configured to be more sympathetic to network resources especially during attacks (Max MTU Discovery, disabling of dead gateway detection and connection keep alive requests).

These settings are not Internet snake oil. We took most of the information from a little known Microsoft web page. The information can also be found at several other sources although not all of them are accurate or complete.

We have endeavored to provide a full description of what these settings do so that even the most novice of system administrators will understand their effects.

And best of all, its free and we won't try to sell you a firewall - but we do have lots of other really good products. :-)

Caveat Emptor

NOTE 1: This tool should only be one of the many steps in securing a computer against the wilds of the Internet. This will only help against DoS attacks. See this and this for more information on securing a server.

NOTE 2: These settings can be used in any Windows 2000 or Windows Server 2003 computer. The effect of these settings on any other operating system including Windows XP is not known and should not be applied.

NOTE 3: These settings reduce the affects of a Denial of Service attack. There is no benefit in applying these settings to a computer that is not susceptible to DoS attacks. For example, because it is not connected to the Internet or it is on a non-routable IP address.

NOTE 4: These settings will not guarantee that your server will not go down during an attack. These settings will simply make your computer a much more difficult target to hit. Even Microsoft's servers go down during a concerted distributed DoS attack.

NOTE 5: Although we have made every effort to ensure that this tool works as expected, it is to be used at your own risk.

Denial of Service Attack Inhibitor

Select your operating system:

Syn Attack Protection (SynAttackProtect) Syn Attack Protection is a special mode the operating system goes into when it identifies that it is under a SYN attack. This mode is activated when either Tcp Max Half Open or Tcp Max Half Open Retried are triggered (see below). Syn Attack Protection has three modes; no protection, good protection and full protection. With no protection the operating system does not behave any differently during an attack. With 'good protection', the number of retransmission retries is decreased and the allocation of memory to handle the connection is delayed until the connection is fully established. Normally this memory is allocated when the initial SYN is received. Full protection extends good protection by including a 'delayed indication to Winsock'. We do not know what this is and a search of the Internet suggests no one else knows either. Any suggestions would be greatly appreciated!
Tcp Max Half Open (TcpMaxHalfOpen) Syn Attack Protection is activated when the number of 'half open' connections exceeds this setting. A connection is considered to be half open after the server has sent the SYN-ACK (in response to a SYN) but before the ACK is received. The default value of this setting is most appropriate but its value is different depending on what operating system you have.
Tcp Max Half Open Retried (TcpMaxHalfOpenRetried) After the server has sent the SYN-ACK and no ACK comes back the SYN-ACK is sent again. At any given time when the total number of these retransmitted SYN-ACKs exceeds this setting the Syn Attack Protection is activated. The default value of this setting is most appropriate but its value is different depending on what operating system you have.
Enable Path Maximum Transmission Unit Discovery (EnablePMTUDiscovery) Internet traffic is sent in packets but not all Internet devices like routers, gateways and hubs can handle packets of the same size. If a packet needs to be split in two to squeeze through a device then extra Internet traffic is produced that may further slow devices that are under the stress due to a DoS attack. If this option is enabled then the operating system will attempt to determine the maximum packet size (or maximum MTU) without the need to split (or fragment) the packets.
Enable Dead Gateway Detection (EnableDeadGWDetect) With Windows you can specify an alternative gateway that is to be used if the primary gateway is unavailable. This option is enabled by default. During a DoS attack the primary gateway may be swamped with so much activity that it may appear to be dead. If the operating system is allowed to use the alternative gateway then it may swamp this one too effectively taking out another Internet resource.
Connection Keep Alive Time (KeepAliveTime) A client can establish a connection and choose not to send any data. If the client has a hostile intent it can drop this connection without telling the server. The server will learn of this 2 hours later (the default) when it sends a 'Keep Alive' request and the client does not respond. Only then will the connection be considered dead and its resources freed. Microsoft recommends that you change this value to 300000 mSecs (5 min). If this computer is simply a web server then we would suggest that this is still too large and should set to smaller value.	mSecs
No Name Release On Demand (NoNameReleaseOnDemand) NetBIOS is a protocol used by computers to access each other over a network. When you use Network Neighborhood you are making use of NetBIOS. The NetBIOS protocol is unauthenticated which means that each computer inherently trusts each other computer on the network. One computer can send a false message to another computer insisting that its name is not unique. In this situation the target computer may become unavailable to other computers on the network (or Internet). By setting this value to 'Enabled' the operating system ignores messages suggesting that its name is not unique.
Perform Router Discovery PerformRouterDiscovery) Routers periodically re-introduce themselves to their neighbouring routers. These advertisements enable new routers to find out who its neighbours are and for existing routers to discover who is dead. If this option is enabled then spoofed router advertisements can override the operating system defaults forcing packets to be sent through the wrong route.
Enable ICMP Redirects (EnableICMPRedirects) When a packet is sent to a router and that router knows of a better way for the packet to go it will post the sender a message (an ICMP Redirect). The sender can then update it routing table information. The problem occurs when the ICMP Redirect packet contains erroneous information sent by someone with hostile intent. The unsuspecting router will update its routing tables with incorrect information. By disabling this setting the operating system will not change its routing table when ICMP Redirects are received.

DoS Inhibitor

		Introduction Overview Bibliography