Transmission Control Protocol/Internet Protocol (TCP/IP)

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Transmission Control Protocol/Internet Protocol (TCP/IP)

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2222

    Webmaster
    Keymaster

    Applies To:Windows Server 2003 with SP1
    What does TCP/IP do?
    Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of standard protocols for connecting computers across
    networks.TCP/IP enables Windows-based computers to connectand shareinformation with other Microsoftand nonMicrosoft
    systems.
    Who does this feature apply to?
    All users who useTCP/IP to connectand communicateinformation over a network should beaware of thechanges
    incorporated in Windows Server 2003 Service Pack 1.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    SYN attack protection is enabled by default
    Detailed Description
    When aSYN attack is detected,TCP/IP in Windows Server 2003 and Windows XP lowers the number of retransmissions of the
    SYN-ACK segmentand does notallocate memory or tableentry resources for theconnection until theTCP three-way
    handshake has been completed.
    A TCP Synchronize(SYN) attack is a denial-of-serviceattack thatexploits theretransmission and time-out behavior of the
    Synchronize-Acknowledgement (SYN-ACK) segment during theTCP three-way handshaketo createa large number of halfopen
    TCP connections. Depending on theTCP/IP protocol implementation,a large number of half-open TCP connections could
    do any of thefollowing:
    Useall available memory.
    Useall possibleentries in theTCP Transmission Control Block (TCB),an internal table used to track TCP connections.
    When the half-open connections useall theentries, further connection attempts areresponded to with aTCP connection
    reset.
    Useall available half-open connections.When all the half-open connections are used, further connection attempts are
    responded to with aTCP connection reset.
    Why is this change important? What threats does it help mitigate?
    To mitigatetheimpact on a hostexperiencing aSYN attack,TCP/IP minimizes theamount of resources devoted to incomplete
    TCP connections and reduces theamount of time beforeabandoning theconnection.When aSYN attack is detected,TCP/IP in
    Windows Server 2003 and Windows XP lowers the number of retransmissions of theSYN-ACK segmentand does notallocate
    memory or tableentry resources for theconnection until theTCP three-way handshake has been completed.
    You can control SYN attack protection through the SynAttackProtect registry setting at
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters(REG_DWORD type). You set
    SynAttackProtect to 0 to disableSYN attack protection and to 1 to enableit.
    For TCP/IP in Windows XP (all versions) and Windows Server 2003 with no service packs installed, SynAttackProtect is set to
    0 by default.For TCP/IP in Windows Server 2003 SP1, SynAttackProtect is set to 1 by default.
    New SYN attack notification IP Helper APIs
    Detailed Description
    To allow an application to notify network administrators thataSYN attack is taking place, theIP Helper API supports new SYN
    attack notification APIs named NotifySecurityHealthChange and CancelSecurityHealthChangeNotify. Information about
    these new APIs has notyet been published in the Microsoft Developer Network (MSDN). A link to the MSDN topics describing
    these new APIs will be posted here when available.
    Smart TCP port allocation
    Detailed Description
    TCP/IP in Windows Server 2003 SP1 has implemented a smartTCP portallocation algorithm.When an application requests
    any availableTCP port,TCP/IP firstattempts to find an available port that does not correspond to a connection in theTIME
    WAITstate. If a port cannot befound, then it picks any available port.
    Why is this change important? What threats does it mitigate?
    When aTCP peer initiates aTCP connection termination and theconnection termination completes, theTCP connection enters
    theTIME WAITstate.When theTIME WAITstateis reached,TCP must wait twicethe maximum segment lifetime(MSL) beforea
    connection with thesameset of socketaddresses can becreated.Theset of socketaddresses consists of thecombination of
    thesourceand destination IP addresses and sourceand destination TCP ports.The MSL is the maximum amount of timeaTCP
    segment can exist in an internetwork,and its recommended valueis 120 seconds.This delay prevents a new connection’s TCP
    segments using thesameset of socketaddresses from being confused with duplicated TCP segments of the old connection.
    TheTCP port for a connection in theTIME WAITstateis considered an available portand can beassigned for use by an
    application.This can lead to thefollowing series of events:
    1. An application requests any availableTCP port.
    2. TCP/IP assigns aTCP port to usefor theapplication socket.
    3. Theapplication attempts to open a socket with a specific destination IP address.
    4. Theapplication establishes aTCP connection and sends data.
    5. Theapplication terminates theTCP connection.
    6. TCP/IP places theapplication’s TCP connection in theTIME WAITstate until 2*MSL has passed.
    7. Thesameapplication requests another availableTCP port.
    8. TCP/IP assigns aTCP port to usefor theapplication socket. Becausethe port for theconnection in theTIME WAITstateis
    considered open, it can bechosen as the next port to assign to therequesting application. AssumethatTCP/IP assigns the
    sameTCP port number.
    9. Theapplication attempts to open a socket with thesame destination IP address.
    10. Becausetheconnection is using thesameset of socketaddresses as theconnection in theTIME WAITstate,TCP/IP
    indicates an error to theapplication.
    Mitigating this error situation required adjusting theregistry settings in one of thefollowing ways:
    Setting the MaxFreeTWTcbs registry setting at
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (REG_DWORD type) to a lower value.
    Thevalue of MaxFreeTWTcbs controls the number of connections that can bein theTIME WAITstate.When this number is
    exceeded, the oldest connection is automatically removed from theTIME WAITstate.
    Setting the TcpTimedWaitDelay registry setting at
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (REG_DWORD type) to a lower value.
    Thevalue of TcpTimedWaitDelay determines thelength of timethata connection stays in theTIME WAITstate.
    However, lowering thevalue of theseregistry settings is contrary to the original design of TCP and the MSL and is not
    recommended.
    Therefore,Windows Server 2003 SP1 includes this portallocation algorithm changeto preventan application from creating a
    connection with thesameset of socketaddresses of a connection that is in aTIME WAITstateif another port is available.
    This new behavior makes it much more unlikely thatan application will beassigned aTCP port that is in theTIME WAITstate
    when connecting to thesame destination, so that it is no longer necessary to modify thevalues of the MaxFreeTWTcbs and
    TcpTimedWaitDelay registry keys to avoid theerror situation described above.
    Improved receive Winsock APIs
    Detailed description
    Winsock APIs now supporta mechanism thatallows applications to specify thata receiverequest should not becompleted
    until thereceive buffer is full.This helps reduce network latency and better supports high performanceapplications.For more
    information about the Winsock implementation, see”About the Winsock SPI” on the MSDN Web siteat
    http://go.microsoft.com/fwlink/?LinkId=45684.
    Winsock self-healing
    Detailed description
    Winsock, theconsortium-based networking application programming interface(API), is extensible by a mechanism known as
    the Winsock Service Provider Interface(SPI).TheSPI provides a mechanism for layering providers on top of each other.
    Providers thatarelayered in this fashion arecalled Winsock Layered Service Providers (LSPs).Winsock LSPs areavailablefor a
    widerange of useful purposes, including parental controls and Web content filtering.Thespecific layering order of all
    providers is kept in the Winsock Catalog. In previous versions of Windows Server 2003, improperly removed LSPs (possibly
    dueto poorly implemented LSP install/removal code) could result in corruption of the Winsock Catalog, potentially resulting in
    a loss of all network connectivity.Winsock now has theability to detect improperly removed LSPs and automatically repair
    itself.
    Why is this change important? What threats does it help mitigate?
    Customers need to beableto safely removeLSPs from their systems.
    New Winsock Netsh commands
    Detailed description
    Two new Netsh commands areavailablein Windows Server 2003 Service Pack 1:
    netsh winsock reset catalog
    This command resets the Winsock catalog to the default configuration.This can be useful if a malformed LSP is installed
    that results in loss of network connectivity.While use of this command can restore network connectivity, it should be
    used with care becauseany previously installed LSPs will need to bereinstalled.
    netsh winsock show catalog
    This command displays thelist of Winsock LSPs thatareinstalled on thecomputer.
    Why is this change important? What threats does it help mitigate?
    Thesecommands provideadditional management capabilities for maintaining and troubleshooting Winsock LSPs and can be
    used in a script to aid in recovering from a widespread installation of malformed LSPs.
    New Netstat parameter
    Thefollowing new parameter can be used with the netstat command:
    netstat -b
    Using this parameter with the netstat command displays theexecutableinvolved in creating each connection or listening port.
    In somecases well-known executables host multipleindependent components,and in thesecases thesequence of components
    involved in creating theconnection or listening port is displayed with components being displayed prior to theexecutablethat
    called thecomponent.Theexecutable name will be denoted by brackets ([]) on either side of theexecutable name.
    Note
    Using this parameter can takea considerableamount of timeand might fail if theaccount it is running under does not have
    sufficient permissions to gather theinformation requested.
    What new settings are added in Windows Server 2003 Service Pack 1?
    A new registry key has been added as shown in thetable below.This registry key sets the maximum number of ICMP host
    routes that can beadded.This key should not bechanged unless ICMP is being used to add a large number of host routes.
    Setting name Location Default value
    MaxICMPHostRoutes HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services\Tcpip\Parameters 1000

You must be logged in to reply to this topic.