How to protect Windows server from SYN flood

A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.

Windows Server 2003 R2 – SYN flooding attack protection is enabled by default.
Windows Server 2008 – SYN flooding attack protection is enabled by default but there are other registry configurations independent sources recommend to catch spoofed traffic that may slip from SYNAttackProtect:

To protect the network against SYN attacks, follow these below steps

1) First back up your server and registry settings before you begin with any registry edits.

2) To begin, open your registry editor and go to this registry path:


Set Value as

Value Name		Data Type		Set Value 

SynAttackProtect 	REG_DWORD			2 

Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack.

Also, You can set the below Values which are Recommended values.

Value Name				Value (REG_DWORD)

TcpMaxPortsExhausted			1
IPEnableRouter                          0
TcpMaxHalfOpen	                        500
TcpMaxHalfOpenRetried			400
TcpMaxConnectResponseRetransmissions	3
TcpMaxDataRetransmissions		2
KeepAliveTime				300000 (5 minutes)
NoNameReleaseOnDemand			1

Description of the above value :

TcpMaxPortsExhausted :Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

IPEnableRouter = 0 : To disable all IP forwarding between interfaces

TcpMaxHalfOpen :To limit the total number of half-open connections allowed by the system at any given time

TcpMaxHalfOpenRetried :To fix the number of half-open connections allowed by the system at any given time

TcpMaxConnectResponseRetransmissions :To set any SYN/ACK handshake to time out at 3 seconds and drop the connection at nine (9) seconds

TcpMaxDataRetransmissions :Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

NoNameReleaseOnDemand :Specifies to not release the NetBIOS name of a computer when it receives a name-release request.

  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

Blocking all traffic except DDoS Protected IP

For extra measure of security it is best to prevent access to your server from any other IP...

Minecraft Servers - Banning User IP Addresses with DDoS Protected Servers

DDoS provides a filter IP XX.XX.XX.X which forwards to your main server IP. When a user...

What is DDoS?

DDoS attacks, or distributed denial-of-service attacks, are attempts to make sites, servers, or...

Protect Linux Servers Against DDoS With IPtables (2018)

There are different ways of building your own anti-DDoS rules for iptables. We will be discussing...

35 Types Of DDoS Attacks

DDoS attacks are a major concern for online businesses. This figure suggests that, in the...