98
Potential Impact:
Setting this value to greater than or equal to 2 causes the stack to employ SYN-
ATTACK protection internally. Setting this value is to less than 2 prevents the stack from reading the
registry values at all for SYN-ATTACK protection. This parameter shortens the default time that it takes
to clean up a half-open TCP connection. A site that is under heavy attack might set the value as low as
1. A value of 0 is also valid. However, if this parameter is set to 0, SYN-ACKs will not be
retransmitted at all and will time-out in 3 seconds. With the value this low, legitimate connection
attempts from distant clients may fail.
TcpMaxDataRetransmissions: How many times unacknowledged data is
retransmitted (3 recommended, 5is default)
This entry appears as
MSS: How many times unacknowledged data is retransmitted (3 recommended,
5 is default)
in the SCE. This parameter controls the number of times that TCP retransmits an individual
data segment (non-connect segment) before aborting the connection. The retransmission time-out is
doubled with each successive retransmission on a connection. It is reset when responses resume. The
base time-out value is dynamically determined by the measured round-trip time on the connection.
Vulnerability:
In a SYN flood attack, the attacker sends a continuous stream of SYN packets to a
server, and the server leaves the half-open connections open until it is overwhelmed and no longer is
able to respond to legitimate requests.
Countermeasure:
Configure
MSS: How many times unacknowledged data is retransmitted (3
recommended, 5 is default)
to a value of
3
. The possible values for this Registry value are:
•
0
to
0xFFFFFFFF
; default is
5.
In the SCE UI, this appears as a text entry box:
•
A user defined number
•
Not Defined
Potential Impact:
TCP starts a retransmission timer when each outbound segment is handed down
to the IP. If no acknowledgment has been received for the data in a given segment before the timer
expires, then the segment is retransmitted up to three times.
PerformRouterDiscovery: Allow IRDP to detect and configure Default
Gateway addresses (could lead to DoS)
This entry appears as
MSS: Allow IRDP to detect and configure Default Gateway addresses (could lead
to DoS
)
in the SCE. This setting is used to enable or disabled the Internet Router Discovery Protocol
(IRDP). IRDP allows the system to detect and configure Default Gateway addresses automatically.
Vulnerability:
An attacker who has gained control of a system on the same network segment could
configure a computer on the network to impersonate a router. Other computers with IRDP enabled
would then attempt to route their traffic through the already compromised system.
Countermeasure:
Configure
MSS: Allow IRDP to detect and configure Default Gateway addresses
(could lead to DoS)
to a value of
Disabled
. The possible values for this Registry value are:
•
1
or
0
; the default is
0
(disabled)
