去 微軟 官方網站查了一下

[DOC] Service Pack Overview
http://download.microsoft.com/downl...view_120904.doc

SYN attack protection is enabled by default— To mitigate the impact on a host experiencing a SYN attack, TCP/IP minimizes the amount of resources devoted to incomplete TCP connections and reduces the amount of time before abandoning half-open connections. When a SYN attack is detected, TCP/IP in Windows Server 2003 and Windows XP lowers the number of retransmissions of the SYN-ACK segment and does not allocate memory or table entry resources for the connection until the TCP three-way handshake has been completed.



Transcript: Windows XP SP2: Windows Firewall, February 9, 2005
http://www.microsoft.com/windowsxp/...5_Feb09_wf.mspx

Grant_MS (Expert):
Q: is Microsoft intending to remove the cap on the number of sockets a program can open? It only let's an EXE open 20 sockets i believe.
A: I think that you're referring to the per- process cap on the number of half-open sockets, to prevent your computer from being used in denial of service and other attacks. The number of fully-connected sockets is not subject to this limitation, so an application can get around it simply by not opening sockets faster than they can connect. The limit on half-open sockets is an intended security feature and there is no intention to remove it.



Security Threats
http://www.microsoft.com/technet/ar...t.mspx?mfr=true

The goal of a DoS attack is to prevent hosts or networks from communicating on the network. An example of this type of attack is the SYN flood attack:

When a client attempts to contact a server service, the client and server exchange a series of messages. The client starts by sending a TCP connection request or SYN message to the server. The server responds to the SYN message with an acknowledgement ACK-SYN message. The client then acknowledges the server's ACK-SYN message with an ACK message. After these three actions take place, the connection between the client and server is open and they can exchange service-specific data.

The problem arises when the server has sent the SYN-ACK message back to the client but has not yet received an ACK response from the client. This is now a half-open connection. The server keeps the pending connection in memory, waiting for a response from the client. The half-open connections in memory eventually will time out on the server, freeing up valuable resources again.

Creating these half-open connections is accomplished with IP spoofing. The attacker's system sends a SYN message to the victim's server. These messages seem to be legitimate but in fact are references to a client system that is unable to respond to the server's SYN-ACK message. This means that the server will never be able to send an ACK message to the client computer. The server now has half-open connections in memory and eventually will fill up the server connections. The server now is unable to accept any new connections. The time limit on half-open connections will expire. However, the attacker's system keeps sending IP-spoofed packets faster than the expire limit on the victim's server. In most cases the victim of such an attack will have difficulty accepting any new, legitimate incoming connections.



Microsoft PowerPoint - WORM04.ppt [Read-Only]
http://research.microsoft.com/~helenw/papers/worm04.pdf

Windows XP SP2:Securing the Network
• Windows firewall (ICF)
– On by default
– Stateful: automatically matching inbound traffic with outgoing requests
– Boot time security
– Limit the number of half open TCP connections to 10
– Application affected: those listen for unsolicited traffic (e.g., file/printer
sharing, uPnP, remote desktop, remote admin, ICMP options)