TCP/IP Stack hardening in Operating Systems starting with Windows Vista

  • Article

In Windows Server 2003 you could change the following TCP/IP parameters to harden the Stack against Syn Attacks. This protection has been accomplished by the TCP/IP stack in the following way by dropping new connection requests when the threshold values are met, regardless of how much system memory or CPU power available to the system.

System\CurrentControlSet\Services\Tcpip\Parameters
- TcpWindowSize
- SynAttackProtect
- TcpMaxConnectResponseRetransmissions
- EnableDeadGWDetect
- EnablePMTUBHDetect
- EnablePMTUDiscovery
- TcpMaxHalfOpen
- TcpMaxHalfOpenRetried
{InterfaceGUID}\TcpInitialRTT

Now in Operating Systems starting with Windows Vista the above settings marked with RED are no longer valid, because Syn Attack protection is built in "by default" and changed in the following ways:

- Syn Attack protection is enabled by default and cannot be disabled!
- Syn Attack protection dynamically calculates the thresholds (of when it considers an attack has started) based on the number of CPU cores and memory available and hence it doesn’t expose any configurable parameters via registry, netsh etc.
- Since TCP/IP driver goes into attack state based on the number of CPU cores and the amount of memory available, systems with more resources will start dropping new connection attempts later compared to systems with less resources. The new algorithm eliminates the need of any fine tuning and TCP/IP stack will self-tune to best values possible depending on the available resources.

{InterfaceGUID}\TcpInitialRTT cannot be changed anymore and is hardcoded at 3 seconds to meet RFC 1122.

===============================================

https://www.ietf.org/rfc/rfc2988.txt

 (2.1) Until a round-trip time (RTT) measurement has been made for a segment sent between the sender and receiver, the sender SHOULD set RTO <- 3 seconds (per RFC 1122 [Bra89]), though the "backing off" on repeated retransmission discussed in (5.5) still applies.

===============================================

 

Regarding the AFD Parameters:

System\CurrentControlSet\Services\AFD\Parameters
- DynamicBacklogGrowthDelta
- EnableDynamicBacklog
- MaximumDynamicBacklog
- MinimumDynamicBacklog

The primary goal of the dynamic backlog scheme in Winsock was to alleviate the impact of Syn Attacks at Winsock layer. With the new NETIO stack on Vista/WS08 and onwards and the TcpIP syn-attack protection built-in, the Winsock-level dynamic backlog scheme is not needed anymore and has been removed.

Dorian