Transmission Control Protocol/Internet Protocol (TCP/IP)

Applies To:Windows Server 2003 with SP1
What does TCP/IP do?
Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of standard protocols for connecting computers across
networks.TCP/IP enables Windows-based computers to connectand shareinformation with other Microsoftand nonMicrosoft
systems.
Who does this feature apply to?
All users who useTCP/IP to connectand communicateinformation over a network should beaware of thechanges
incorporated in Windows Server 2003 Service Pack 1.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
SYN attack protection is enabled by default
Detailed Description
When aSYN attack is detected,TCP/IP in Windows Server 2003 and Windows XP lowers the number of retransmissions of the
SYN-ACK segmentand does notallocate memory or tableentry resources for theconnection until theTCP three-way
handshake has been completed.
A TCP Synchronize(SYN) attack is a denial-of-serviceattack thatexploits theretransmission and time-out behavior of the
Synchronize-Acknowledgement (SYN-ACK) segment during theTCP three-way handshaketo createa large number of halfopen
TCP connections. Depending on theTCP/IP protocol implementation,a large number of half-open TCP connections could
do any of thefollowing:
Useall available memory.
Useall possibleentries in theTCP Transmission Control Block (TCB),an internal table used to track TCP connections.
When the half-open connections useall theentries, further connection attempts areresponded to with aTCP connection
reset.
Useall available half-open connections.When all the half-open connections are used, further connection attempts are
responded to with aTCP connection reset.
Why is this change important? What threats does it help mitigate?
To mitigatetheimpact on a hostexperiencing aSYN attack,TCP/IP minimizes theamount of resources devoted to incomplete
TCP connections and reduces theamount of time beforeabandoning theconnection.When aSYN attack is detected,TCP/IP in
Windows Server 2003 and Windows XP lowers the number of retransmissions of theSYN-ACK segmentand does notallocate
memory or tableentry resources for theconnection until theTCP three-way handshake has been completed.
You can control SYN attack protection through the SynAttackProtect registry setting at
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters(REG_DWORD type). You set
SynAttackProtect to 0 to disableSYN attack protection and to 1 to enableit.
For TCP/IP in Windows XP (all versions) and Windows Server 2003 with no service packs installed, SynAttackProtect is set to
0 by default.For TCP/IP in Windows Server 2003 SP1, SynAttackProtect is set to 1 by default.
New SYN attack notification IP Helper APIs
Detailed Description
To allow an application to notify network administrators thataSYN attack is taking place, theIP Helper API supports new SYN
attack notification APIs named NotifySecurityHealthChange and CancelSecurityHealthChangeNotify. Information about
these new APIs has notyet been published in the Microsoft Developer Network (MSDN). A link to the MSDN topics describing
these new APIs will be posted here when available.
Smart TCP port allocation
Detailed Description
TCP/IP in Windows Server 2003 SP1 has implemented a smartTCP portallocation algorithm.When an application requests
any availableTCP port,TCP/IP firstattempts to find an available port that does not correspond to a connection in theTIME
WAITstate. If a port cannot befound, then it picks any available port.
Why is this change important? What threats does it mitigate?
When aTCP peer initiates aTCP connection termination and theconnection termination completes, theTCP connection enters
theTIME WAITstate.When theTIME WAITstateis reached,TCP must wait twicethe maximum segment lifetime(MSL) beforea
connection with thesameset of socketaddresses can becreated.Theset of socketaddresses consists of thecombination of
thesourceand destination IP addresses and sourceand destination TCP ports.The MSL is the maximum amount of timeaTCP
segment can exist in an internetwork,and its recommended valueis 120 seconds.This delay prevents a new connection’s TCP
segments using thesameset of socketaddresses from being confused with duplicated TCP segments of the old connection.
TheTCP port for a connection in theTIME WAITstateis considered an available portand can beassigned for use by an
application.This can lead to thefollowing series of events:
1. An application requests any availableTCP port.
2. TCP/IP assigns aTCP port to usefor theapplication socket.
3. Theapplication attempts to open a socket with a specific destination IP address.
4. Theapplication establishes aTCP connection and sends data.
5. Theapplication terminates theTCP connection.
6. TCP/IP places theapplication’s TCP connection in theTIME WAITstate until 2*MSL has passed.
7. Thesameapplication requests another availableTCP port.
8. TCP/IP assigns aTCP port to usefor theapplication socket. Becausethe port for theconnection in theTIME WAITstateis
considered open, it can bechosen as the next port to assign to therequesting application. AssumethatTCP/IP assigns the
sameTCP port number.
9. Theapplication attempts to open a socket with thesame destination IP address.
10. Becausetheconnection is using thesameset of socketaddresses as theconnection in theTIME WAITstate,TCP/IP
indicates an error to theapplication.
Mitigating this error situation required adjusting theregistry settings in one of thefollowing ways:
Setting the MaxFreeTWTcbs registry setting at
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (REG_DWORD type) to a lower value.
Thevalue of MaxFreeTWTcbs controls the number of connections that can bein theTIME WAITstate.When this number is
exceeded, the oldest connection is automatically removed from theTIME WAITstate.
Setting the TcpTimedWaitDelay registry setting at
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (REG_DWORD type) to a lower value.
Thevalue of TcpTimedWaitDelay determines thelength of timethata connection stays in theTIME WAITstate.
However, lowering thevalue of theseregistry settings is contrary to the original design of TCP and the MSL and is not
recommended.
Therefore,Windows Server 2003 SP1 includes this portallocation algorithm changeto preventan application from creating a
connection with thesameset of socketaddresses of a connection that is in aTIME WAITstateif another port is available.
This new behavior makes it much more unlikely thatan application will beassigned aTCP port that is in theTIME WAITstate
when connecting to thesame destination, so that it is no longer necessary to modify thevalues of the MaxFreeTWTcbs and
TcpTimedWaitDelay registry keys to avoid theerror situation described above.
Improved receive Winsock APIs
Detailed description
Winsock APIs now supporta mechanism thatallows applications to specify thata receiverequest should not becompleted
until thereceive buffer is full.This helps reduce network latency and better supports high performanceapplications.For more
information about the Winsock implementation, see”About the Winsock SPI” on the MSDN Web siteat
http://go.microsoft.com/fwlink/?LinkId=45684.
Winsock self-healing
Detailed description
Winsock, theconsortium-based networking application programming interface(API), is extensible by a mechanism known as
the Winsock Service Provider Interface(SPI).TheSPI provides a mechanism for layering providers on top of each other.
Providers thatarelayered in this fashion arecalled Winsock Layered Service Providers (LSPs).Winsock LSPs areavailablefor a
widerange of useful purposes, including parental controls and Web content filtering.Thespecific layering order of all
providers is kept in the Winsock Catalog. In previous versions of Windows Server 2003, improperly removed LSPs (possibly
dueto poorly implemented LSP install/removal code) could result in corruption of the Winsock Catalog, potentially resulting in
a loss of all network connectivity.Winsock now has theability to detect improperly removed LSPs and automatically repair
itself.
Why is this change important? What threats does it help mitigate?
Customers need to beableto safely removeLSPs from their systems.
New Winsock Netsh commands
Detailed description
Two new Netsh commands areavailablein Windows Server 2003 Service Pack 1:
netsh winsock reset catalog
This command resets the Winsock catalog to the default configuration.This can be useful if a malformed LSP is installed
that results in loss of network connectivity.While use of this command can restore network connectivity, it should be
used with care becauseany previously installed LSPs will need to bereinstalled.
netsh winsock show catalog
This command displays thelist of Winsock LSPs thatareinstalled on thecomputer.
Why is this change important? What threats does it help mitigate?
Thesecommands provideadditional management capabilities for maintaining and troubleshooting Winsock LSPs and can be
used in a script to aid in recovering from a widespread installation of malformed LSPs.
New Netstat parameter
Thefollowing new parameter can be used with the netstat command:
netstat -b
Using this parameter with the netstat command displays theexecutableinvolved in creating each connection or listening port.
In somecases well-known executables host multipleindependent components,and in thesecases thesequence of components
involved in creating theconnection or listening port is displayed with components being displayed prior to theexecutablethat
called thecomponent.Theexecutable name will be denoted by brackets ([]) on either side of theexecutable name.
Note
Using this parameter can takea considerableamount of timeand might fail if theaccount it is running under does not have
sufficient permissions to gather theinformation requested.
What new settings are added in Windows Server 2003 Service Pack 1?
A new registry key has been added as shown in thetable below.This registry key sets the maximum number of ICMP host
routes that can beadded.This key should not bechanged unless ICMP is being used to add a large number of host routes.
Setting name Location Default value
MaxICMPHostRoutes HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services\Tcpip\Parameters 1000