Home : Registry : Security : Forums : Software Contacts 
Registry Guide for Windows

Registry Guide for Windows

Part of the WinGuides Network 		WinGuides Network and Software
Registry tweaks, tricks & hacks to optimize, enhance and secure Microsoft Windows.
 
[Advanced Search]

 Features
 Home Page
 Support Forums
 Downloads
 Registry Tutorial
 Newsletter
 Download Guide
 Suggested Books
 Registry Insight
 Registry Mechanic
 Tweak Manager
 Privacy Guardian
 Email Saver Xe
 
 
 


Recommended Download: Registry Mechanic

Print this article Print this page
E-mail this Article 
Add to Favorites Add to favorites

 Information
 Subscribe Premium
 Suggest Tweak
 Contact Us
 Link to Us
 Related Links
 Affiliate Program
Already a member? Sign in  Not a member? Register 
Recommended download: Privacy Guardian

Home > Security > Network

Harden the TCP/IP Stack for Denial of Service Attacks (Windows 2000/XP)
Denial of service attacks are network attacks that are aimed at making a computer or a particular service unavailable to network users. These settings can be used to increase the ability for Windows to defend against these attacks when connected directly to the Internet.

Download this tweak with Tweak Manager!This tweak can be easily applied using WinGuides Tweak Manager.
Download a free trial now!

Open your registry and find the key below.

Create the following DWORD values and set them according to the table below.

  • EnableDeadGWDetect = "0" (default = 1)
    Disables dead-gateway detection as an attack could force the server to switch gateways.
  • EnableICMPRedirect = "0" (default = 1)
    Stops Windows from altering its route table in response to ICMP redirect messages. Some documentation has this listed as "EnableICMPRedirects" but according to Microsoft it should be "EnableICMPRedirect" no "s".
  • EnablePMTUDiscovery = "0" (default = 1)
    Disables maximum transmission unit (MTU) discovery as an attacker could force the MTU value to a very small value and overwork the stack.
  • KeepAliveTime = "300,000" (default = 7,200,000)
    Reduces how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.
  • NoNameReleaseOnDemand = "1" (default = 0)
    Protects the computer against malicious NetBIOS name-release attacks.
  • PerformRouterDiscovery = "0" (default = 1)
    Disables ICMP Router Discovery Protocol (IRDP) where an an attacker may remotely add default route entries on a remote system.
  • SynAttackProtect = "2" (default = 0)
    Automatically adds additional delays to connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress.
Restart Windows for the changes to take effect.

Note: These values will not give the best performance due to additional checking and less optimization, but they will provide greater protection against attacks.

Registry Editor Example
|NameTypeData|
|(Default)REG_SZ(value not set)|
|EnableDeadGWDetectREG_DWORD0x00000000 (0)|
|EnableICMPRedirectREG_DWORD0x00000000 (0)|
|EnablePMTUDiscoveryREG_DWORD0x00000000 (0)|
|KeepAliveTimeREG_DWORD0x000493e0 (300000)|
|NoNameReleaseOnDemandREG_DWORD0x00000001 (1)|
|PerformRouterDiscoveryREG_DWORD0x00000000 (0)|
|SynAttackProtectREG_DWORD0x00000002 (2)|
-
|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\P...|
-

Registry Settings
System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
Value Name: EnableDeadGWDetect, EnableICMPRedirect, EnablePMTUDiscovery, KeepAliveTime, NoNameReleaseOnDemand, PerformRouterDiscovery, SynAttackProtect
Data Type: REG_DWORD (DWORD Value)

Disclaimer: Modifying the registry can cause serious problems that may require you to reinstall your operating system. We cannot guarantee that problems resulting from modifications to the registry can be solved. Use the information provided at your own risk.

Last Modified: December 19, 2002


HomeRegistrySecurityForumsScriptingDrivers
Copyright © 2003 GuideWorks. All rights reserved. Privacy Policy:Legal Notices