- Securing Windows Server 2003 Against DoS Attacks with the Registry
- Getting More Protection
Getting More Protection
Are there any other values we can add for even more protection? The answer is undoubtedly yes. In the event of a DoS attack on our primary server, wouldn't it be neat (well, sort of) to automatically switch over to a backup server for subsequent connections due to connection difficulty? You can accomplish just this with a value called EnableDeadGWDetect. By adding this TCP/IP parameter value with a data value of 1, we can tell our server to perform dead-gateway detection. When enabled, this type of detection checks every connection; and if the server has attempted to send TCP packets equal to one half the number of the data value defined for TcpMaxConnectResponseRetransmissions, the connection is switched to a backup gateway (listed in the Advanced section of the TCP/IP configuration dialog box in the Network applet of Control Panel.)
Now that we have all these new values for determining whether connections are bad or half-open, and how our server will respond to these connections by discarding them or moving them to a backup server, it would be nice to tell the server how often to verify whether an idle connection is still open and valid. We can determine this frequency by adding a value called KeepAliveTime. This value verifies an existing idle connection by sending a keep-alive packet to the source machine. If the packet is acknowledged, the connection is kept open or negotiated. By increasing the frequency, we more quickly determine whether a connection should be discarded or not. This essentially allows the server to make more room for other incoming connections more quickly.
Use the KeepAliveTime value at your own discretion and with some caution. I recommend that you use it based on the type of TCP/IP services you are running. For example, if you are running a database server, you should not use it because database connections often go idle for a considerable amount of time before being reinstantiated during the same connection. Under these conditions, the KeepAliveTime value does more harm than good—idle connections that were actually still in use are disconnected. If you are running an FTP or Web server, these connections are often fleeting and have little or no idle time, so KeepAliveTime works well by getting rid of connections of this type (they probably will never be reinstantiated).
The default data value for KeepAliveTime is 7,200,000 milliseconds (2 hours), but the recommended value is 300,000 milliseconds, or 5 minutes. It's probably a good thing that keep-alive packets are not sent by default unless this value is created. At 2 hours per packet to verify a connection, this would cause the server to hang on to dead connections for much longer than necessary. By creating this value, we're better controlling the frequency at which a TCP tries to verify a connection.