1.1.1.2.1.16 Set 'MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)'

Information

1.1.1.2.1.16 Set 'MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)' to 'Connections time out sooner if a SYN attack is detected'

This entry appears as MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) in the SCE. This entry causes TCP to adjust retransmission of SYN-ACKs. When you configure this entry, the overhead of incomplete transmissions in a connect request (SYN) attack is reduced. You can use this entry to configure Windows to send router discovery messages as broadcasts instead of multicasts, as described in RFC 1256. By default, if router discovery is enabled, router discovery solicitations are sent to the all-routers multicast group (224.0.0.2). Not applicable to Windows Vista or Windows Server 2008. In a SYN flood attack, the attacker sends a continuous stream of SYN packets to a server. The server leaves the half-open connections open until it is overwhelmed and is no longer able to respond to legitimate requests

Solution

To implement the recommended configuration state, set the following Group Policy setting to 1.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS- (SynAttackProtect) Syn attack protection level (protects against DoS)

Impact- This value adds more delays to connection indications, and TCP connection requests quickly time out when a SYN attack is in progress. If you configure this registry entry, the scalable windows and TCP parameters that are configured on each adapter (including Initial Round Trip Time (RTT) and window size), socket options no longer work. When the computer is attacked, the scalable windows (RFC 1323) and per adapter configured TCP parameters (Initial RTT, window size) options on any socket can no longer be enabled. The reasons these options cannot be enabled is because when protection is functioning, the route cache entry is not queried before the SYN-ACK is sent and the Winsock options are not available at this stage of the connection.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CCE|CCE-3616-0, CSCv6|9.2

Plugin: Windows

Control ID: 51d745742f6bc260a3b04490f44dd1d74dc97e53df86f11f001a8ee549f2bd65