An experience of attack of DoS, and some consideration for the stabili

[7P-Darkman]

Hello friends,

Recently I described in this Forum the characteristics of my modest HUB, that I keep on-line in a modest server, whose characteristics had also been described here Post

In the intention to verify the stability and the security of so modest configurations, I accepted to submit me to a difficult test:  in such a way to survive to an attack of DoS, keeping on-line the HUB, how much the site that is published by webserver of the PtokaX.  A great friend mine, suRe, requested, my order, in a HUB known for congregating OPs of the international HUBs greaters, that was made an attack to my HUB (thanks to the anonymous user that it accepted to collaborate and to make the attack).  Well, not necessary to say that, for possessing modest configurations, my HUB easily was taken off of air, for the stroke that received.

As I already had suffered attacks from diverse types, in diverse other occasions (unhappyly common in the Net of the Brazil), already I had previously modified my server, following recommendations of the Microsoft, to strengthen the functioning of stack TCP/IP, and to be able to resist these attacks, more accurately this document Microsoft document

I was confident that my HUB could resist this attack, a time that my server was prepared for this type of attacks, however, I did not count on an interesting characteristic concerning the capacity that the Ptokax possesss in accepting a limit of simultaneous connections of one same IP only Discovered that accepted it the maximum limit of 100 simultaneous connections (sockets opened) of one exactly IP, and was accurately this characteristic that was explored in the attack that I received.  Result:  my PtokaX server freese, and exactly not having fallen total, he did not accept plus no new connection it.

Well, this is a characteristic of the Ptokax, and not a limitation of this excellent and flexible server.  However, as to protect it of this type of attack?  After some research in links of the Microsoft, and some experiences made in my local net, I arrived at a parameter for definitive configurations in the register, that resisted this type of attack well.

In the key of register located in HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services, I edited the called parameter ?TcpMaxHalfOpen? for the equal value ?100?, and the called parameter ?TcpMaxHalfOpenRetried? for the equal value ?80?, following recommendations contained in Appendix D, of this document: Recomendations

I suggest the friends of this Forum who give one looked at in these links of sites of the Microsoft, and follow the orientations of it how much to the modifications suggested in the register.

After to have done some tests of attacks to my modified server, through my local net, I was presumptuous that these parameters in the register finally protect our Ptokax brave.  How much to my HUB, still it must remain vulnerable, unhappyly for the reason of my connection to be very bad, and my modem ADSL also to be a modest equipment.

I wait that the colleagues can repeat these tests that I made, to prove the resistance to the attack, and to implement in its HUBs.

Respectfully...


7P-Darkman

[LoTeK_]

In the key of register located in HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services, I edited the called parameter ?TcpMaxHalfOpen? for the equal value ?100?, and the called parameter ?TcpMaxHalfOpenRetried? for the equal value ?80?, following recommendations contained in Appendix D, of this document: Recomendations

One Minute Low/One Minute High/Maximum Incomplete Low/Maximum Incomplete High/TCP Maximum Incomplete are all configurable by using a Router with Firewall and protection against DoS attacks (predefined parameters, that are the ones you used, works well), maybe using this type of router can protect your hub as well.
But If you don't have that possibility (my server doesn't have too, or at least I have to pay for that) manual configuration of System registry is another well solution. great.
PS: DSL is a very bad connection against DoS attack, maybe using your solution with a 10mbps or more will be a more efficient result.

[7P-Darkman]

Hello, friends...

Yes, LoTeK _, I have knowledge of the characteristics of protection against attacks of DoS that some models of routers can offer.  However, my intention, with this post, was to try to show to this another possibility that we have stops in protecting them, that it is to strengthen the functioning of stack TCP/IP through modifications in the register of the Windows, and with the advantage not to need to spend nothing with this.

Unhappyly I do not have I eat to obtain one of these excellent 10 Mb connections that are common there in the Europe...  My country still does not offer links with this speed for use of the common citizen.  Exactly the slow connection that use has a high cost here for us.

Still we will arrive in this point, goes to see!

I hug, and debtor for the tips...

Respectfully,

7P-Darkman

[LoTeK_]

Yes I have understood your intentions and probably I will make use of that hint

For the connection I use a dedicated server (10mbps in italy will cost too much, if there are any..., I have a poor 4mb/256k DSL and it's expensive too...), that is located in USA, maybe you may want to check theese web site that offers dedicated server hosting solutions:

http://www.servermatrix.com/ (for me the best one)
http://www.fdcservers.net/index.html (the bad one..)
http://www.fmservers.co.uk/dchubs.html
http://sh3lls.net/

They offer both windows and linux solutions with different specifications for many use, and they are not too much expensive if you can find other people who may want to help with your project. Good Luck and thanks for the system registry hints.