By attacking Microsoft Windows 2000 and 2003 with SYN flood, attackers can cause a DoS on the system, the following article will illustrate how users can implement a protection mechanism to prevent this attack.
Credit:
The information has been provided by Luigi Mori.
Vulnerable Systems:
* Microsoft Windows 2000 SP4 and prior
* Microsoft Windows 2003 Server
Immune Systems:
* Microsoft Windows 2000 SP4 with Roll Up
* Microsoft Windows 2003 Server SP1
On Windows 2000 and 2003 the system administrator can enable a SYN Attack protection mechanism on the TCP/IP by adding the value SynAttackProtect in the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
If the value of SynAttackProtect is 2 the TCP/IP stack notifies a listening socket only when the 3-way handshake has been completed and tracks the ongoing 3-way handshakes by storing them in an hash table. This way the backlog of the socket is defended from the SYN floods attacks.
The vulnerability resides in the hash table management, in fact the hash function used by the TCP/IP stack works only on some fields of the incoming SYN packet and is thus predictable. An attacker can generate a large number of SYN packets with the same hash value to target the same hash table bucket. When the victim machine receives them, it stores them in just one bucket of the hash table. The chain attached to this bucket keeps growing, and the more it grows, the slower the lookup algorithm becomes.
Vendor response:
Microsoft has patched the vulnerability in Windows 2003 SP1 and Windows 2000 Update Roll-up.
The new version of TCPIP.SYS has this Syn Attack Protection enabled by default but uses a crypto hash function (MD5) for the table lookup. The hash material is the source port, dest port, source ip, dest ip of the SYN packet and some pseudo random material extracted at startup.
