可能大家在其他很多地方都看到過在Windows中通過修改註冊表來加固TCP/IP協議棧以抵禦拒絕服務的攻擊,不過基本上是針對Windows 2000的。在此我想提醒大家,Windows 2000和Windows Server 2003中啓用SYN攻擊保護的鍵值不一樣。在Windows 2000中,通常是設置SynAttackProtect鍵值爲dword:2以獲得最有效的SYN攻擊保護,但是在Windows Server 2003中,SynAttackProtect鍵值只具有0和1這兩個值,只是在鍵值設置爲dword:1時啓用SYN攻擊保護。
關於它們之間的區別,請參見微軟知識庫文章:
HOW TO:在 Windows 2000 中加固 TCP/IP 協議棧以抵禦拒絕服務的攻擊
和
HOW TO:在 Windows Server 2003 中加固 TCP/IP 堆棧以抵禦拒絕服務攻擊
關於這些鍵值更爲詳細的信息,請參見微軟安全指南文章如何:強化 TCP/IP 堆棧安全,不過這篇文章中描述的部分鍵值位置有誤,具體位置請參見前面相關的兩篇知識庫文章。
在此我爲大家創建了兩個分別針對Windows 2000和Windows Server 2003的註冊表文件,導入後即可啓用SYN攻擊保護。
For Windows 2000(文件名後綴爲.txt,右擊後選擇目標另存爲,保存後修改文件擴展名爲.reg再導入註冊表即可),或者將以下內容複製後導入到註冊表中:
---------------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters]
"SynAttackProtect"=dword:2
"TcpMaxPortsExhausted"=dword:5
"TcpMaxHalfOpen"=dword:500
"TcpMaxHalfOpenRetried"=dword:400
"TcpMaxConnectResponseRetransmissions"=dword:2
"TcpMaxDataRetransmissions"=dword:2
"EnablePMTUDiscovery"=dword:0
"KeepAliveTime"=dword:300000
"NoNameReleaseOnDemand"=dword:1
"DefaultTTL"=dword:256
"EnableDeadGWDetect"=dword:0
"DisableIPSourceRouting"=dword:1
"EnableFragmentChecking"=dword:1
"EnableMulticastForwarding"=dword:0
"IPEnableRouter"=dword:0
"EnableAddrMaskReply"=dword:0
[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/AFD/Parameters]
"EnableICMPRedirect"=dword:0
"EnableDynamicBacklog"=dword:1
"MinimumDynamicBacklog"=dword:20
"MaximumDynamicBacklog"=dword:20000
"DynamicBacklogGrowthDelta"=dword:10
---------------------------------------------------------------------------------
For Windows Server 2003(文件名後綴爲.txt,右擊後選擇目標另存爲,保存後修改文件擴展名爲.reg再導入註冊表即可),或者將以下內容複製後導入到註冊表中:
---------------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters]
"SynAttackProtect"=dword:1
"TcpMaxPortsExhausted"=dword:5
"TcpMaxHalfOpen"=dword:500
"TcpMaxHalfOpenRetried"=dword:400
"TcpMaxConnectResponseRetransmissions"=dword:2
"TcpMaxDataRetransmissions"=dword:2
"EnablePMTUDiscovery"=dword:0
"KeepAliveTime"=dword:300000
"NoNameReleaseOnDemand"=dword:1
"DefaultTTL"=dword:256
"EnableDeadGWDetect"=dword:0
"DisableIPSourceRouting"=dword:1
"EnableFragmentChecking"=dword:1
"EnableMulticastForwarding"=dword:0
"IPEnableRouter"=dword:0
"EnableAddrMaskReply"=dword:0
[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/AFD/Parameters]
"EnableICMPRedirect"=dword:0
"EnableDynamicBacklog"=dword:1
"MinimumDynamicBacklog"=dword:20
"MaximumDynamicBacklog"=dword:20000
"DynamicBacklogGrowthDelta"=dword:10