How to protect Windows server from SYN flood
A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.
Windows Server 2003 R2 – SYN flooding attack protection is enabled by default.
Windows Server 2008 – SYN flooding attack protection is enabled by default but there are other registry configurations independent sources recommend to catch spoofed traffic that may slip from SYNAttackProtect:
To protect the network against SYN attacks, follow these below steps
1) First back up your server and registry settings before you begin with any registry edits.
2) To begin, open your registry editor and go to this registry path:
Set Value as
Value Name Data Type Set Value SynAttackProtect REG_DWORD 2
Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack.
Also, You can set the below Values which are Recommended values.
Value Name Value (REG_DWORD) TcpMaxPortsExhausted 1 IPEnableRouter 0 TcpMaxHalfOpen 500 TcpMaxHalfOpenRetried 400 TcpMaxConnectResponseRetransmissions 3 TcpMaxDataRetransmissions 2 KeepAliveTime 300000 (5 minutes) NoNameReleaseOnDemand 1
Description of the above value :
TcpMaxPortsExhausted :Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.
IPEnableRouter = 0 : To disable all IP forwarding between interfaces
TcpMaxHalfOpen :To limit the total number of half-open connections allowed by the system at any given time
TcpMaxHalfOpenRetried :To fix the number of half-open connections allowed by the system at any given time
TcpMaxConnectResponseRetransmissions :To set any SYN/ACK handshake to time out at 3 seconds and drop the connection at nine (9) seconds
TcpMaxDataRetransmissions :Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.
NoNameReleaseOnDemand :Specifies to not release the NetBIOS name of a computer when it receives a name-release request.