[GUIDE] [HOW-TO] prevent SYN Attacks

Results 1 to 9 of 9
  1. #1
    Yeah nah, nah yeah Liam is offline
    GammaRank
    Dec 2011 Join Date
    Down underLocation
    3,024Posts

    [GUIDE] [HOW-TO] prevent SYN Attacks


    RaGEZONE Recommends

    RaGEZONE Recommends

    You need to edit and create values in your regedit to limit the time the connection is opened before it drops the connection. And for this, I'll explain how to drop the connection instead of keeping it opened for a longer time;

    * First of all, you'll need to run 'regedit', you can use Run to open it up!

    * Once your registry edit is opened, you'll need to locate yourself to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services (This is in the dropdown section - Image shown below)


    * Then you have to Right click on the Services folder, and select New Key and choose DWORD, and for the name, call it SynAttackProtect and give its value 2
    - Setting this to 2, will timeout the connection faster, and it'll drop the connection, instead of keeping the connection open [Server -> User] for a long time.

    * Do the same step as above, but this time the name will be EnableDeadGWDetect and the value will be 0. This will disable the host from sending traffic to an unintended gateway.

    * You will also need to repeat the process as above, but yet again you'll need to make a new one under the name EnablePMTUDiscovery and give it a value of 0. This disables the use of high ammounts of resources used on the server, and it will help stop memory overload and crashes.


    Once you've done that, you can now close regedit, and you can then reboot your server, and this will stop/slow down SYN attacks!
    This tutorial was written by me, with research from Google :P

    a SYN attack is where an attacker basically connects to your server, and your server receives this connection, but before the server can reply back to the connector (attacker) they change their IP, this can be done in the programs they use, and the connection between the server and the sender (keep in mind that the sender has now changed their IP, and the server won't be able to reach the sender) - and because the IP's been changed, that means the server is still trying to connect and receive information from your computer/IP, this connection keeps open for a while until it stops, but when the attacker has programs to automatically do this, they can send and change their IP multiple times, and, it's still flooding your server until it goes under a SYN attack, and by using my tutorial, this will reduce the time that the connection from the sender is opened for, and it will reduce SYN floods and help stop attackers.

    This has indeed been tested, and it does actually work!

    Another thing is that SYN floods are also un-detectable by normal Anti-DoS firewalls, like KiwiGuard, and connection viewers, like Peerblock, because the IP of the attacker changes for each SYN sent to your server.

    I'll make a video for you guys soon!
    This is also tested, and works!


    Last edited by Liam; 27-07-12 at 07:00 AM.


  2. #2
    Captain of the Universe Rishwin is offline
    LegendRank
    Oct 2004 Join Date
    PerthLocation
    15,952Posts

    Re: How to prevent SYN Attacks

    Little more info about what you're actually doing and what it is actually for would be useful. This is supposed to be a tutorial outlining all the necessary steps and explaining everything in-depth for the people following this who obviously don't know what they're doing (else they wouldn't need this tut, would they?). Tutorials are not discussions or help threads, you should be conveying all of the necessary information in the tut itself so the reader doesn't have to look elsewhere for clarification or for any questions (which they shouldn't have if you covered everything).



  3. #3
    Yeah nah, nah yeah Liam is offline
    GammaRank
    Dec 2011 Join Date
    Down underLocation
    3,024Posts

    Re: How to prevent SYN Attacks

    Quote Originally Posted by Rishwin View Post
    Little more info about what you're actually doing and what it is actually for would be useful. This is supposed to be a tutorial outlining all the necessary steps and explaining everything in-depth for the people following this who obviously don't know what they're doing (else they wouldn't need this tut, would they?). Tutorials are not discussions or help threads, you should be conveying all of the necessary information in the tut itself so the reader doesn't have to look elsewhere for clarification or for any questions (which they shouldn't have if you covered everything).
    Yes, I understand, and in the event of this, I will indeed be making a video on how to do this. But for now, I've provided the rough essentials. But, I'll update the thread after with more images, and stuff like that. But UN-experienced people shouldn't even bother running anything if they can't work with computers.

  4. #4
    Evil Scottish Overlord Junkers is offline
    LegendRank
    May 2007 Join Date
    United KingdomLocation
    8,499Posts

    Re: How to prevent SYN Attacks

    It is rather basic. Some folk (e.g me ) don't even know what an SYN attack is. Explain everything so it leaves little room for ambiguity. You never know, someone may have this problem but not know what it is.

  5. #5
    Yeah nah, nah yeah Liam is offline
    GammaRank
    Dec 2011 Join Date
    Down underLocation
    3,024Posts

    Re: How to prevent SYN Attacks

    Well, a SYN attack is where an attacker basically connects to your server, and your server receives this connection, but before the server can reply back to the connector (attacker) they change their IP, this can be done in the programs they use, and the connection between the server and the sender (keep in mind that the sender has now changed their IP, and the server won't be able to reach the sender) - and because the IP's been changed, that means the server is still trying to connect and receive information from your computer/IP, this connection keeps open for a while until it stops, but when the attacker has programs to automatically do this, they can send and change their IP multiple times, and, it's still flooding your server until it goes under a SYN attack, and by using my tutorial, this will reduce the time that the connection from the sender is opened for, and it will reduce SYN floods and help stop attackers.

    This has indeed been tested, and it does actually work!

    Another thing is that SYN floods are also un-detectable by normal Anti-DoS firewalls, like KiwiGuard, and connection viewers, like Peerblock, because the IP of the attacker changes for each SYN sent to your server.

  6. #6
    Evil Scottish Overlord Junkers is offline
    LegendRank
    May 2007 Join Date
    United KingdomLocation
    8,499Posts

    Re: How to prevent SYN Attacks

    Well when you get round to updating your thread, mention all that!

  7. #7
    Yeah nah, nah yeah Liam is offline
    GammaRank
    Dec 2011 Join Date
    Down underLocation
    3,024Posts

    Re: How to prevent SYN Attacks

    I shall make a video sometime when I get some software to record my screen.

  8. #8
    ˌ Ron is offline
    The OmegaRank
    Apr 2005 Join Date
    Location
    9,315Posts

    Re: How to prevent SYN Attacks

    Your definition isn't quite right. On SYN attacks, you just simply don't send the ACK to complete the handshake. The server isn't connecting to anything, it just waits for a reply from its SYN-ACK packet. After a certain timeout period it drops the slot for a new connection.

    No one uses Windows for web servers so this tutorial will only be useful for maybe 50 members on RZ, if that. I'd include a [corrected] definition of a SYN attack to provide people not on Windows at least some kind of useful information.
    RF-Dev Team

  9. #9
    Yeah nah, nah yeah Liam is offline
    GammaRank
    Dec 2011 Join Date
    Down underLocation
    3,024Posts

    Re: How to prevent SYN Attacks

    Quote Originally Posted by Ron View Post
    Your definition isn't quite right. On SYN attacks, you just simply don't send the ACK to complete the handshake. The server isn't connecting to anything, it just waits for a reply from its SYN-ACK packet. After a certain timeout period it drops the slot for a new connection.

    No one uses Windows for web servers so this tutorial will only be useful for maybe 50 members on RZ, if that. I'd include a [corrected] definition of a SYN attack to provide people not on Windows at least some kind of useful information.
    Oh yes your explanation is much better. And I did this for people like Habbo Server owners and stuff like that, because those types of games require a Windows OS. But for people who want to know the main information about SYN attacks;

    A attacker sends a SYN connection, your server waits for a reply from the sender. But since the attacker is using programs witch allow them to change there IP, they then send yet ANOTHER SYN connection, and this process repeats and repeats witch causes your server to get SYN Attacked. Because your server has a default time for when it drops or kills the connection, it allows the attacker to flood your website much faster.

    So by using this little system tweak, it will drop the SYN connection quicker.

    If you still don't understand here's a easier understanding:
    1. Host A (user) sends a TCP SYN packet to Host B (the server)
    2. Host B (the server) receives Host A's (user's) SYN
    3. Host B (the server) sends a SYN-ACK (Synchronize-Acknowledgement) - Basically the server sends the users computer a confirmation so it can go onto the next step.
    4. Host A (user) receives Host B's (the server's) SYN-ACK
    5. Host A (user) sends ACK(nowledge)
    6. Host B (the server) receives the ACK.
    And after that, the TCP socket connection is established!


    Here's a diagram, thanks to inetdaemon.com:




Advertisement