Denial of Service (Distributed Denial of Service). The so-called denial of service means that after a specific attack occurs the attacked object cannot provide due services in a timely manner. For example it should provide website services ( Service) instead of website services and email servers (SMTP POP3) cannot provide services. The functions of sending and receiving letters etc. basically blocking service attacks usually uses a large number of network data packets to paralyze the other party's network and host so that normal users cannot obtain timely services from the host.　Distributed denial of service to put it simply consumes the available system and network bandwidth with massive data packets that far exceed the target processing capacity causing networkservice paralysis. Perhaps it is related to the excessive attention of the media. DoS attacks especially DDoS attacks seem to have become popular overnight. Network administrators of all sizes ``As long as the server fails they will be extremely excited and shout 'I am DDoS! \u0026rdquo; the face seems to have incomparable glory and pride written on it. In fact there are not many DDoS in the real sense around us. After all a lot of resources are needed to launch a DDoS attack but real attacks are happening constantly. Among them the vast majority They are all ordinary denial of service attacks. How to protect against common-level attacks has also become the most troublesome problem for many network administrators. So I inquired everywhere and the results are often the same. 'Buy our 'hardware firewall'. Hardware firewalls including dedicated anti-denial-of-service attack products are indeed good but the basic price is very expensive although the effect is goodfrom the perspective of investment and investment protection it is too much.　Actually from the operating system perspective there are many functions hidden in itself but many of them need to be digged slowly. Here I give you a brief introduction on how to modify the registry under Win2000 to enhance the system's anti-DoS capability. Details: 　Windows Registry Editor Version 5.00　[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]　
'Turn off the check for invalid gateways. When the server is set with multiple gateways the system will try to connect when the network is not smooth
'The second gateway you can optimize the network by closing it.
\u0026quot;EnableDeadGWDetect\u0026quot;=dword:00000000　'It is forbidden to respond to ICMP redirect messages. Such messages may be used for attacks so the system should refuse to accept ICMP redirect messages.
\u0026quot;EnableICMPRedirects\u0026quot; =dword:00000000　'It is not allowed to release the NETBIOS name. When an attacker issues a request to query the server's NETBIOS name the server can be prevented from responding.
'Note that the system must have SP2 or higher.
\u0026quot;NoNameReleaseOnDemand\u0026quot;=dword:00000001　'Send verification keep-alive packets. This option determines how long the TCP interval is to determine that the current connection is still connected.
'If this value is not set the system will check whether the TCP has an idle connection every 2 hours. The time here is set to 5 minutes.
/>\u0026quot;KeepAliveTime\u0026quot;=dword:000493e0　'The maximum packet length path detection is prohibited. When the value of this item is 1 it will automatically detect the size of the data packet that can be transmitted.
'It can be used to improve the transmission efficiency. If there is a failure or for safety set the item value to 0 which means to use a fixed MTU value of 576bytes .
\u0026quot;EnablePMTUDiscovery\u0026quot;=dword:00000000　'Enable syn attack protection. The default value is 0 which means that attack protection is not enabled and the value of 1 and 2 means that syn attack protection is enabled. After setting it to 2
'The security level is higher. Under what circumstances it is considered an attack you need According to the following TcpMaxHalfOpen and TcpMaxHalfOpenRetried values ??
' set conditions to trigger the start. It should be noted here that NT4.0 must be set to 1 and setting it to 2 will cause the system to restart under certain special data packets.
\u0026quot;SynAttackProtect\u0026quot;=dword:00000002　'The number of semi-connections that are allowed to be opened at the same time. The so-called semi-connections refer to incompletely established TCP sessions. You can see the SYN_RCVD state with the netstat command.
' Use the recommended value from Microsoft here the server is set to 100 and the advanced server is set to 500. It is recommended to set a little smaller.
\u0026quot;TcpMaxHalfOpen\u0026quot;=dword:00000064　' Determine whether there is a trigger point for the attack. Here we use the Microsoft recommended values the server is 80 and the advanced server is 400.
\u0026quot;TcpMaxHalfOpenRetried\u0026quot;=dword:00000050　'Set Wait for the SYN-ACK time. The default value is 3 and this process takes 45 seconds by default. The item value is 2 and the elapsed time is 21 seconds.
'The item value is 1 and the consumption time is 9 seconds. The minimum value can be set to 0 which means no waiting and the consumption time is 3 seconds. This value can be modified according to the scale of the attack.
'Microsoft Site Security Recommendation Is 2.
\u0026quot;TcpMaxConnectResponseRetransmissions\u0026quot;=dword:00000001　'Set the number of times that TCP retransmits a single data segment. The default value is 5 and this process takes 240 seconds by default. The Microsoft site security recommendation is 3.
\u0026quot;TcpMaxDataRetransmissions\u0026quot;=dword:00000003　'Set the critical point of syn attack protection. When the available backlog becomes 0 this parameter is used to control the activation of syn attack protection and the Microsoft site security recommendation is 5.
\u0026quot;TCPMaxPortsExhausted\u0026quot;=dword:00000005　'IP source routing is forbidden. The default value is 1 which means that source routed packets are not forwarded and the value is set to 0 which means all forwarding and 2 means discarding all accepted The
' source routing package Microsoft Site Security recommends 2.
\u0026quot;DisableIPSourceRouting\u0026quot;=dword:0000002　'Limit the maximum time in the TIME_WAIT state. The default is 240 seconds the minimum is 30 seconds and the maximum is 300 seconds. It is recommended to set it to 30 seconds.
\u0026quot; TcpTimedWaitDelay\u0026quot;=dword:0000001e[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters]
'Increase the increase of the NetBT connection block. The default is 3 and the range is 1-20. The larger the value the more the connection will improve performance. Each connection block consumes 87 bytes.
\u0026quot;BacklogIncrement\u0026quot;=dword:00000003　'Maximum number of NetBT connection speeds. Range 1-400 here is set to 1000 the larger the value the more connections are allowed when there are more connections.
\u0026quot;MaxConnBackLog\u0026quot ;=dword:000003e8[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Afd\\Parameters]
'Configure to activate the dynamic Backlog. For systems with busy networks or vulnerable to SYN attacks it is recommended to set it to 1 which means that dynamic Backlog is allowed.
\u0026quot;EnableDynamicBacklog\u0026quot;=dword:00000001　'Configure the minimum dynamic Backlog. The default value is 0 which means the minimum number of free connections allocated by the dynamic Backlog. When the number of free connections
' is lower than this number Free connections will be assigned automatically. The default value is 0. For systems with busy networks or vulnerable to SYN attacks the recommended setting is 20.
\u0026quot;MinimumDynamicBacklog\u0026quot;=dword:00000014　'Maximum dynamic Backlog. Defines the maximum \u0026quot;standard\u0026quot; number of connections mainly depends on the size of the memory theoretically the maximum of each 32M memory can be
'increase 5000 here Set to 20000.
\u0026quot;MaximumDynamicBacklog\u0026quot;=dword:00002e20　'The free connection data added each time. The default value is 5 which means that the number of free connections added each time is defined. For busy networks or vulnerable to SYN attacks
' The recommended setting is 10.
\u0026quot;DynamicBacklogGrowthDelta\u0026quot;=dword:0000000a　
The following parts need to be manually modified according to the actual situation'------------------------- -------------------------------------------------- ----------------------
'[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]
'Enable security on the network card Filter
'\u0026quot;EnableSecurityFilters\u0026quot;=dword:00000001
'
'The number of TCP connections opened at the same time here can be controlled according to the situation.
'\u0026quot;TcpNumConnections\u0026quot;=
'
'This parameter controls the size limit of the TCP header table. On machines with a large amount of RAM increasing this setting can improve the response performance during SYN attacks.
'\u0026quot;TcpMaxSendFree\u0026quot;=
'
'[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{own network card interface}]
'Disable route discovery Function. ICMP routing advertisement messages can be used to increase routing table records which can cause attacks so routing discovery is prohibited.
\u0026quot;PerformRouterDiscovery \u0026quot;=dword:00000000
'------- -------------------------------------------------- ----------------------------------------?Installation and configuration of win2003 IIS6.0+PHP+MySQL