Transmission Control Protocol/Internet Protocol (TCP/IP)

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Transmission Control Protocol/Internet Protocol (TCP/IP)

Viewing 0 reply threads
  • Author
    • #2222

      Applies To:Windows Server 2003 with SP1
      What does TCP/IP do?
      Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of standard protocols for connecting computers across
      networks.TCP/IP enables Windows-based computers to connectand shareinformation with other Microsoftand nonMicrosoft
      Who does this feature apply to?
      All users who useTCP/IP to connectand communicateinformation over a network should beaware of thechanges
      incorporated in Windows Server 2003 Service Pack 1.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      SYN attack protection is enabled by default
      Detailed Description
      When aSYN attack is detected,TCP/IP in Windows Server 2003 and Windows XP lowers the number of retransmissions of the
      SYN-ACK segmentand does notallocate memory or tableentry resources for theconnection until theTCP three-way
      handshake has been completed.
      A TCP Synchronize(SYN) attack is a denial-of-serviceattack thatexploits theretransmission and time-out behavior of the
      Synchronize-Acknowledgement (SYN-ACK) segment during theTCP three-way handshaketo createa large number of halfopen
      TCP connections. Depending on theTCP/IP protocol implementation,a large number of half-open TCP connections could
      do any of thefollowing:
      Useall available memory.
      Useall possibleentries in theTCP Transmission Control Block (TCB),an internal table used to track TCP connections.
      When the half-open connections useall theentries, further connection attempts areresponded to with aTCP connection
      Useall available half-open connections.When all the half-open connections are used, further connection attempts are
      responded to with aTCP connection reset.
      Why is this change important? What threats does it help mitigate?
      To mitigatetheimpact on a hostexperiencing aSYN attack,TCP/IP minimizes theamount of resources devoted to incomplete
      TCP connections and reduces theamount of time beforeabandoning theconnection.When aSYN attack is detected,TCP/IP in
      Windows Server 2003 and Windows XP lowers the number of retransmissions of theSYN-ACK segmentand does notallocate
      memory or tableentry resources for theconnection until theTCP three-way handshake has been completed.
      You can control SYN attack protection through the SynAttackProtect registry setting at
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters(REG_DWORD type). You set
      SynAttackProtect to 0 to disableSYN attack protection and to 1 to enableit.
      For TCP/IP in Windows XP (all versions) and Windows Server 2003 with no service packs installed, SynAttackProtect is set to
      0 by default.For TCP/IP in Windows Server 2003 SP1, SynAttackProtect is set to 1 by default.
      New SYN attack notification IP Helper APIs
      Detailed Description
      To allow an application to notify network administrators thataSYN attack is taking place, theIP Helper API supports new SYN
      attack notification APIs named NotifySecurityHealthChange and CancelSecurityHealthChangeNotify. Information about
      these new APIs has notyet been published in the Microsoft Developer Network (MSDN). A link to the MSDN topics describing
      these new APIs will be posted here when available.
      Smart TCP port allocation
      Detailed Description
      TCP/IP in Windows Server 2003 SP1 has implemented a smartTCP portallocation algorithm.When an application requests
      any availableTCP port,TCP/IP firstattempts to find an available port that does not correspond to a connection in theTIME
      WAITstate. If a port cannot befound, then it picks any available port.
      Why is this change important? What threats does it mitigate?
      When aTCP peer initiates aTCP connection termination and theconnection termination completes, theTCP connection enters
      theTIME WAITstate.When theTIME WAITstateis reached,TCP must wait twicethe maximum segment lifetime(MSL) beforea
      connection with thesameset of socketaddresses can becreated.Theset of socketaddresses consists of thecombination of
      thesourceand destination IP addresses and sourceand destination TCP ports.The MSL is the maximum amount of timeaTCP
      segment can exist in an internetwork,and its recommended valueis 120 seconds.This delay prevents a new connection’s TCP
      segments using thesameset of socketaddresses from being confused with duplicated TCP segments of the old connection.
      TheTCP port for a connection in theTIME WAITstateis considered an available portand can beassigned for use by an
      application.This can lead to thefollowing series of events:
      1. An application requests any availableTCP port.
      2. TCP/IP assigns aTCP port to usefor theapplication socket.
      3. Theapplication attempts to open a socket with a specific destination IP address.
      4. Theapplication establishes aTCP connection and sends data.
      5. Theapplication terminates theTCP connection.
      6. TCP/IP places theapplication’s TCP connection in theTIME WAITstate until 2*MSL has passed.
      7. Thesameapplication requests another availableTCP port.
      8. TCP/IP assigns aTCP port to usefor theapplication socket. Becausethe port for theconnection in theTIME WAITstateis
      considered open, it can bechosen as the next port to assign to therequesting application. AssumethatTCP/IP assigns the
      sameTCP port number.
      9. Theapplication attempts to open a socket with thesame destination IP address.
      10. Becausetheconnection is using thesameset of socketaddresses as theconnection in theTIME WAITstate,TCP/IP
      indicates an error to theapplication.
      Mitigating this error situation required adjusting theregistry settings in one of thefollowing ways:
      Setting the MaxFreeTWTcbs registry setting at
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (REG_DWORD type) to a lower value.
      Thevalue of MaxFreeTWTcbs controls the number of connections that can bein theTIME WAITstate.When this number is
      exceeded, the oldest connection is automatically removed from theTIME WAITstate.
      Setting the TcpTimedWaitDelay registry setting at
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (REG_DWORD type) to a lower value.
      Thevalue of TcpTimedWaitDelay determines thelength of timethata connection stays in theTIME WAITstate.
      However, lowering thevalue of theseregistry settings is contrary to the original design of TCP and the MSL and is not
      Therefore,Windows Server 2003 SP1 includes this portallocation algorithm changeto preventan application from creating a
      connection with thesameset of socketaddresses of a connection that is in aTIME WAITstateif another port is available.
      This new behavior makes it much more unlikely thatan application will beassigned aTCP port that is in theTIME WAITstate
      when connecting to thesame destination, so that it is no longer necessary to modify thevalues of the MaxFreeTWTcbs and
      TcpTimedWaitDelay registry keys to avoid theerror situation described above.
      Improved receive Winsock APIs
      Detailed description
      Winsock APIs now supporta mechanism thatallows applications to specify thata receiverequest should not becompleted
      until thereceive buffer is full.This helps reduce network latency and better supports high performanceapplications.For more
      information about the Winsock implementation, see”About the Winsock SPI” on the MSDN Web siteat
      Winsock self-healing
      Detailed description
      Winsock, theconsortium-based networking application programming interface(API), is extensible by a mechanism known as
      the Winsock Service Provider Interface(SPI).TheSPI provides a mechanism for layering providers on top of each other.
      Providers thatarelayered in this fashion arecalled Winsock Layered Service Providers (LSPs).Winsock LSPs areavailablefor a
      widerange of useful purposes, including parental controls and Web content filtering.Thespecific layering order of all
      providers is kept in the Winsock Catalog. In previous versions of Windows Server 2003, improperly removed LSPs (possibly
      dueto poorly implemented LSP install/removal code) could result in corruption of the Winsock Catalog, potentially resulting in
      a loss of all network connectivity.Winsock now has theability to detect improperly removed LSPs and automatically repair
      Why is this change important? What threats does it help mitigate?
      Customers need to beableto safely removeLSPs from their systems.
      New Winsock Netsh commands
      Detailed description
      Two new Netsh commands areavailablein Windows Server 2003 Service Pack 1:
      netsh winsock reset catalog
      This command resets the Winsock catalog to the default configuration.This can be useful if a malformed LSP is installed
      that results in loss of network connectivity.While use of this command can restore network connectivity, it should be
      used with care becauseany previously installed LSPs will need to bereinstalled.
      netsh winsock show catalog
      This command displays thelist of Winsock LSPs thatareinstalled on thecomputer.
      Why is this change important? What threats does it help mitigate?
      Thesecommands provideadditional management capabilities for maintaining and troubleshooting Winsock LSPs and can be
      used in a script to aid in recovering from a widespread installation of malformed LSPs.
      New Netstat parameter
      Thefollowing new parameter can be used with the netstat command:
      netstat -b
      Using this parameter with the netstat command displays theexecutableinvolved in creating each connection or listening port.
      In somecases well-known executables host multipleindependent components,and in thesecases thesequence of components
      involved in creating theconnection or listening port is displayed with components being displayed prior to theexecutablethat
      called thecomponent.Theexecutable name will be denoted by brackets ([]) on either side of theexecutable name.
      Using this parameter can takea considerableamount of timeand might fail if theaccount it is running under does not have
      sufficient permissions to gather theinformation requested.
      What new settings are added in Windows Server 2003 Service Pack 1?
      A new registry key has been added as shown in thetable below.This registry key sets the maximum number of ICMP host
      routes that can beadded.This key should not bechanged unless ICMP is being used to add a large number of host routes.
      Setting name Location Default value
      MaxICMPHostRoutes HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services\Tcpip\Parameters 1000

Viewing 0 reply threads
  • You must be logged in to reply to this topic.