Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[GUIDE] [HOW-TO] prevent SYN Attacks

Joined
Dec 16, 2011
Messages
1,993
Reaction score
631
You need to edit and create values in your regedit to limit the time the connection is opened before it drops the connection. And for this, I'll explain how to drop the connection instead of keeping it opened for a longer time;

* First of all, you'll need to run 'regedit', you can use Run to open it up!

* Once your registry edit is opened, you'll need to locate yourself to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services (This is in the dropdown section - Image shown below)
Liam - [GUIDE] [HOW-TO] prevent SYN Attacks - RaGEZONE Forums


* Then you have to Right click on the Services folder, and select New Key and choose DWORD, and for the name, call it SynAttackProtect and give its value 2
- Setting this to 2, will timeout the connection faster, and it'll drop the connection, instead of keeping the connection open [Server -> User] for a long time.

* Do the same step as above, but this time the name will be EnableDeadGWDetect and the value will be 0. This will disable the host from sending traffic to an unintended gateway.

* You will also need to repeat the process as above, but yet again you'll need to make a new one under the name EnablePMTUDiscovery and give it a value of 0. This disables the use of high ammounts of resources used on the server, and it will help stop memory overload and crashes.


Once you've done that, you can now close regedit, and you can then reboot your server, and this will stop/slow down SYN attacks!
This tutorial was written by me, with research from Google :p

a SYN attack is where an attacker basically connects to your server, and your server receives this connection, but before the server can reply back to the connector (attacker) they change their IP, this can be done in the programs they use, and the connection between the server and the sender (keep in mind that the sender has now changed their IP, and the server won't be able to reach the sender) - and because the IP's been changed, that means the server is still trying to connect and receive information from your computer/IP, this connection keeps open for a while until it stops, but when the attacker has programs to automatically do this, they can send and change their IP multiple times, and, it's still flooding your server until it goes under a SYN attack, and by using my tutorial, this will reduce the time that the connection from the sender is opened for, and it will reduce SYN floods and help stop attackers.

This has indeed been tested, and it does actually work!

Another thing is that SYN floods are also un-detectable by normal Anti-DoS firewalls, like KiwiGuard, and connection viewers, like Peerblock, because the IP of the attacker changes for each SYN sent to your server.

I'll make a video for you guys soon!
This is also tested, and works!


 
Last edited:
Joined
Oct 2, 2004
Messages
13,060
Reaction score
1,573
Re: How to prevent SYN Attacks

Little more info about what you're actually doing and what it is actually for would be useful. This is supposed to be a tutorial outlining all the necessary steps and explaining everything in-depth for the people following this who obviously don't know what they're doing (else they wouldn't need this tut, would they?). Tutorials are not discussions or help threads, you should be conveying all of the necessary information in the tut itself so the reader doesn't have to look elsewhere for clarification or for any questions (which they shouldn't have if you covered everything).
 
Joined
Dec 16, 2011
Messages
1,993
Reaction score
631
Re: How to prevent SYN Attacks

Little more info about what you're actually doing and what it is actually for would be useful. This is supposed to be a tutorial outlining all the necessary steps and explaining everything in-depth for the people following this who obviously don't know what they're doing (else they wouldn't need this tut, would they?). Tutorials are not discussions or help threads, you should be conveying all of the necessary information in the tut itself so the reader doesn't have to look elsewhere for clarification or for any questions (which they shouldn't have if you covered everything).

Yes, I understand, and in the event of this, I will indeed be making a video on how to do this. But for now, I've provided the rough essentials. But, I'll update the thread after with more images, and stuff like that. But UN-experienced people shouldn't even bother running anything if they can't work with computers.
 
Evil Scottish Overlord
Legend
Joined
May 18, 2007
Messages
5,843
Reaction score
5,253
Re: How to prevent SYN Attacks

It is rather basic. Some folk (e.g me :p:) don't even know what an SYN attack is. Explain everything so it leaves little room for ambiguity. You never know, someone may have this problem but not know what it is.
 
Joined
Dec 16, 2011
Messages
1,993
Reaction score
631
Re: How to prevent SYN Attacks

Well, a SYN attack is where an attacker basically connects to your server, and your server receives this connection, but before the server can reply back to the connector (attacker) they change their IP, this can be done in the programs they use, and the connection between the server and the sender (keep in mind that the sender has now changed their IP, and the server won't be able to reach the sender) - and because the IP's been changed, that means the server is still trying to connect and receive information from your computer/IP, this connection keeps open for a while until it stops, but when the attacker has programs to automatically do this, they can send and change their IP multiple times, and, it's still flooding your server until it goes under a SYN attack, and by using my tutorial, this will reduce the time that the connection from the sender is opened for, and it will reduce SYN floods and help stop attackers.

This has indeed been tested, and it does actually work!

Another thing is that SYN floods are also un-detectable by normal Anti-DoS firewalls, like KiwiGuard, and connection viewers, like Peerblock, because the IP of the attacker changes for each SYN sent to your server.
 
Evil Scottish Overlord
Legend
Joined
May 18, 2007
Messages
5,843
Reaction score
5,253
Re: How to prevent SYN Attacks

Well when you get round to updating your thread, mention all that! :cool:
 
Joined
Apr 28, 2005
Messages
6,953
Reaction score
2,420
Re: How to prevent SYN Attacks

Your definition isn't quite right. On SYN attacks, you just simply don't send the ACK to complete the handshake. The server isn't connecting to anything, it just waits for a reply from its SYN-ACK packet. After a certain timeout period it drops the slot for a new connection.

No one uses Windows for web servers so this tutorial will only be useful for maybe 50 members on RZ, if that. I'd include a [corrected] definition of a SYN attack to provide people not on Windows at least some kind of useful information.
 
Joined
Dec 16, 2011
Messages
1,993
Reaction score
631
Re: How to prevent SYN Attacks

Your definition isn't quite right. On SYN attacks, you just simply don't send the ACK to complete the handshake. The server isn't connecting to anything, it just waits for a reply from its SYN-ACK packet. After a certain timeout period it drops the slot for a new connection.

No one uses Windows for web servers so this tutorial will only be useful for maybe 50 members on RZ, if that. I'd include a [corrected] definition of a SYN attack to provide people not on Windows at least some kind of useful information.

Oh yes your explanation is much better. And I did this for people like Habbo Server owners and stuff like that, because those types of games require a Windows OS. But for people who want to know the main information about SYN attacks;

A attacker sends a SYN connection, your server waits for a reply from the sender. But since the attacker is using programs witch allow them to change there IP, they then send yet ANOTHER SYN connection, and this process repeats and repeats witch causes your server to get SYN Attacked. Because your server has a default time for when it drops or kills the connection, it allows the attacker to flood your website much faster.

So by using this little system tweak, it will drop the SYN connection quicker.

If you still don't understand here's a easier understanding:
1. Host A (user) sends a TCP SYN packet to Host B (the server)
2. Host B (the server) receives Host A's (user's) SYN
3. Host B (the server) sends a SYN-ACK (Synchronize-Acknowledgement) - Basically the server sends the users computer a confirmation so it can go onto the next step.
4. Host A (user) receives Host B's (the server's) SYN-ACK
5. Host A (user) sends ACK(nowledge)
6. Host B (the server) receives the ACK.
And after that, the TCP socket connection is established!


Here's a diagram, thanks to inetdaemon.com:
Liam - [GUIDE] [HOW-TO] prevent SYN Attacks - RaGEZONE Forums
 
Back
Top