Transmission Control Protocol/Internet Protocol (TCP/IP)

Applies To: Windows Server 2003 with SP1

What does TCP/IP do?

Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of standard protocols for connecting computers across networks. TCP/IP enables Windows-based computers to connect and share information with other Microsoft and non-Microsoft systems.

Who does this feature apply to?

All users who use TCP/IP to connect and communicate information over a network should be aware of the changes incorporated in Windows Server 2003 Service Pack 1.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

SYN attack protection is enabled by default

Detailed Description

When a SYN attack is detected, TCP/IP in Windows Server 2003 and Windows XP lowers the number of retransmissions of the SYN-ACK segment and does not allocate memory or table entry resources for the connection until the TCP three-way handshake has been completed.

A TCP Synchronize (SYN) attack is a denial-of-service attack that exploits the retransmission and time-out behavior of the Synchronize-Acknowledgement (SYN-ACK) segment during the TCP three-way handshake to create a large number of half-open TCP connections. Depending on the TCP/IP protocol implementation, a large number of half-open TCP connections could do any of the following:

  • Use all available memory.

  • Use all possible entries in the TCP Transmission Control Block (TCB), an internal table used to track TCP connections. When the half-open connections use all the entries, further connection attempts are responded to with a TCP connection reset.

  • Use all available half-open connections. When all the half-open connections are used, further connection attempts are responded to with a TCP connection reset.

Why is this change important? What threats does it help mitigate?

To mitigate the impact on a host experiencing a SYN attack, TCP/IP minimizes the amount of resources devoted to incomplete TCP connections and reduces the amount of time before abandoning the connection. When a SYN attack is detected, TCP/IP in Windows Server 2003 and Windows XP lowers the number of retransmissions of the SYN-ACK segment and does not allocate memory or table entry resources for the connection until the TCP three-way handshake has been completed.

You can control SYN attack protection through the SynAttackProtect registry setting at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters(REG_DWORD type). You set SynAttackProtect to 0 to disable SYN attack protection and to 1 to enable it.

For TCP/IP in Windows XP (all versions) and Windows Server 2003 with no service packs installed, SynAttackProtect is set to 0 by default. For TCP/IP in Windows Server 2003 SP1, SynAttackProtect is set to 1 by default.

New SYN attack notification IP Helper APIs

Detailed Description

To allow an application to notify network administrators that a SYN attack is taking place, the IP Helper API supports new SYN attack notification APIs named NotifySecurityHealthChange and CancelSecurityHealthChangeNotify. Information about these new APIs has not yet been published in the Microsoft Developer Network (MSDN). A link to the MSDN topics describing these new APIs will be posted here when available.

Smart TCP port allocation

Detailed Description

TCP/IP in Windows Server 2003 SP1 has implemented a smart TCP port allocation algorithm. When an application requests any available TCP port, TCP/IP first attempts to find an available port that does not correspond to a connection in the TIME WAIT state. If a port cannot be found, then it picks any available port.

Why is this change important? What threats does it mitigate?

When a TCP peer initiates a TCP connection termination and the connection termination completes, the TCP connection enters the TIME WAIT state. When the TIME WAIT state is reached, TCP must wait twice the maximum segment lifetime (MSL) before a connection with the same set of socket addresses can be created. The set of socket addresses consists of the combination of the source and destination IP addresses and source and destination TCP ports. The MSL is the maximum amount of time a TCP segment can exist in an internetwork, and its recommended value is 120 seconds. This delay prevents a new connection’s TCP segments using the same set of socket addresses from being confused with duplicated TCP segments of the old connection.

The TCP port for a connection in the TIME WAIT state is considered an available port and can be assigned for use by an application. This can lead to the following series of events:

  1. An application requests any available TCP port.

  2. TCP/IP assigns a TCP port to use for the application socket.

  3. The application attempts to open a socket with a specific destination IP address.

  4. The application establishes a TCP connection and sends data.

  5. The application terminates the TCP connection.

  6. TCP/IP places the application's TCP connection in the TIME WAIT state until 2*MSL has passed.

  7. The same application requests another available TCP port.

  8. TCP/IP assigns a TCP port to use for the application socket. Because the port for the connection in the TIME WAIT state is considered open, it can be chosen as the next port to assign to the requesting application. Assume that TCP/IP assigns the same TCP port number.

  9. The application attempts to open a socket with the same destination IP address.

  10. Because the connection is using the same set of socket addresses as the connection in the TIME WAIT state, TCP/IP indicates an error to the application.

Mitigating this error situation required adjusting the registry settings in one of the following ways:

  • Setting the MaxFreeTWTcbs registry setting at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (REG_DWORD type) to a lower value. The value of MaxFreeTWTcbs controls the number of connections that can be in the TIME WAIT state. When this number is exceeded, the oldest connection is automatically removed from the TIME WAIT state.

  • Setting the TcpTimedWaitDelay registry setting at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (REG_DWORD type) to a lower value. The value of TcpTimedWaitDelay determines the length of time that a connection stays in the TIME WAIT state.

However, lowering the value of these registry settings is contrary to the original design of TCP and the MSL and is not recommended.

Therefore, Windows Server 2003 SP1 includes this port allocation algorithm change to prevent an application from creating a connection with the same set of socket addresses of a connection that is in a TIME WAIT state if another port is available.

This new behavior makes it much more unlikely that an application will be assigned a TCP port that is in the TIME WAIT state when connecting to the same destination, so that it is no longer necessary to modify the values of the MaxFreeTWTcbs and TcpTimedWaitDelay registry keys to avoid the error situation described above.

Improved receive Winsock APIs

Detailed description

Winsock APIs now support a mechanism that allows applications to specify that a receive request should not be completed until the receive buffer is full. This helps reduce network latency and better supports high performance applications. For more information about the Winsock implementation, see "About the Winsock SPI" on the MSDN Web site at https://go.microsoft.com/fwlink/?LinkId=45684.

Winsock self-healing

Detailed description

Winsock, the consortium-based networking application programming interface (API), is extensible by a mechanism known as the Winsock Service Provider Interface (SPI). The SPI provides a mechanism for layering providers on top of each other. Providers that are layered in this fashion are called Winsock Layered Service Providers (LSPs). Winsock LSPs are available for a wide range of useful purposes, including parental controls and Web content filtering. The specific layering order of all providers is kept in the Winsock Catalog. In previous versions of Windows Server 2003, improperly removed LSPs (possibly due to poorly implemented LSP install/removal code) could result in corruption of the Winsock Catalog, potentially resulting in a loss of all network connectivity. Winsock now has the ability to detect improperly removed LSPs and automatically repair itself.

Why is this change important? What threats does it help mitigate?

Customers need to be able to safely remove LSPs from their systems.

New Winsock Netsh commands

Detailed description

Two new Netsh commands are available in Windows Server 2003 Service Pack 1:

  • netsh winsock reset catalog

    This command resets the Winsock catalog to the default configuration. This can be useful if a malformed LSP is installed that results in loss of network connectivity. While use of this command can restore network connectivity, it should be used with care because any previously installed LSPs will need to be reinstalled.

  • netsh winsock show catalog

    This command displays the list of Winsock LSPs that are installed on the computer.

Why is this change important? What threats does it help mitigate?

These commands provide additional management capabilities for maintaining and troubleshooting Winsock LSPs and can be used in a script to aid in recovering from a widespread installation of malformed LSPs.

New Netstat parameter

The following new parameter can be used with the netstat command:

  • netstat -b

Using this parameter with the netstat command displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed with components being displayed prior to the executable that called the component. The executable name will be denoted by brackets ([]) on either side of the executable name.

Note

Using this parameter can take a considerable amount of time and might fail if the account it is running under does not have sufficient permissions to gather the information requested.

What new settings are added in Windows Server 2003 Service Pack 1?

A new registry key has been added as shown in the table below. This registry key sets the maximum number of ICMP host routes that can be added. This key should not be changed unless ICMP is being used to add a large number of host routes.

Setting name Location Default value

MaxICMPHostRoutes

HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services\Tcpip\Parameters

1000