96
•
1
or
0
; default is
1
(enabled)
In the SCE UI, these options appear as:
•
Enabled
•
Disabled
•
Not Defined
Potential Impact:
S
etting
EnablePMTUDiscovery
to 1 causes TCP to attempt to discover either the
MTU or the largest packet size over the path to a remote host. TCP can eliminate fragmentation at
routers along the path that connect networks with different MTUs by discovering the path MTU and
limiting TCP segments to this size. Fragmentation adversely affects TCP throughput. When this value
is set to 0, an MTU of 576 bytes is used for all connections that are not hosts on the local subnet.
KeepAliveTime: How often keep-alive packets are sent in milliseconds
(300,000 is recommended)
This entry appears as
MSS: How often keep-alive packets are sent in milliseconds (300,000 is
recommended)
in the SCE. This value controls how often TCP attempts to verify that an idle connection
is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges
the keep-alive packet.
Vulnerability:
An attacker who is able to connect to network applications could cause a DoS
condition by establishing numerous connections.
Countermeasure:
Configure
MSS: How often keep-alive packets are sent in milliseconds (300,000
is recommended)
to a value of
300000 or 5 minutes.
The possible values for this Registry value are:
•
1
through
0xFFFFFFFF
; default is
7,200,000
(two hours)
In the SCE UI, the following list of options appears:
•
150000 or 2.5 minutes
•
300000 or 5 minutes (recommended)
•
600000 or 10 minutes
•
1200000 or 20 minutes
•
2400000 or 40 minutes
•
3600000 or 1 hour
•
7200000 or 2 hours (default value)
•
Not Defined
Potential Impact:
Keep-alive packets are not sent by default. Administrators can use a program to
configure this value on a connection basis. Lowering this from the default value of 2 hours to 5
minutes means that inactive sessions will be disconnected more quickly.