Will modifying certain Windows TCP/IP settings affect CHX-I?

[delerious]

I'm running CHX-I on my Windows 2000 system. Some of the things that it lets you configure are fairly low-level, like limiting the number of half-open connections from a single host, and activating SYN flood protection if the number of half-open connections reaches a certain value.

Right now I'm looking at the Windows 2000 Hardening Guide (downloadable from Microsoft), and it recommends that you apply the security templates that come with it. I notice that these templates change certain registry settings, including many under HKLM\System\CurrentControlSet\Services\Tcpip\Parameters. Some of these registry settings have to do with SYN attack protection and half-open connections, which are some of the things that CHX-I lets you configure.

So I'm wondering if I were to apply the security templates (which would change those TCP/IP registry settings), would that affect the operation of CHX-I at all? Does anyone know if CHX-I is dependent on those registry settings, or if CHX-I does not use them at all?

[Stem]

Hi delerious,
CHX does not make changes to the windows tcpip parameters for the settings you mention. When you make change within CHX for the limit of connections etc, these setting are made in the registry(for chx3) @hkey_local_machine\software\third brigade\chxmpf\version 1.0\interfaces\* and are used internally by CHX.

So I do not see CHX being dependent on the tcpip entries.

[delerious]

Thank you for the reply, Stem. I have one more question hopefully you or someone else can answer.

If both the Windows TCP/IP and CHX are configured to protect against SYN attacks, what will happen? Who will intercept incoming packets first? Will CHX handle everything, and Windows TCP/IP will be totally out of the picture? Or will they both be involved somehow?

[Stem]

Hi delerious,

Interesting question, I have never checked.

If you get no answer, I will set up on W2K later to check.

[Phant0m]

delirious; It would depend on the configurations on both things, if set proper you can have CHX-I intercept firstly, and adjusting it to be equal or almost may result in best of both worlds.

Hardening the TCP/IP stack to SYN attacks is also available under Windows XP, even though there has some changes already.

[Stem]

Hi delerious,
Although your question as not been answered, Phant0m`s suggestion is probably the easiest/best to do. That would be to set, as example, the half-open connections limit in the OS to, say 105, and set the limit for this in CHX to 100 (or similar difference, depending on the limit you want). This then would not matter as to which was intercepting first,.. but as mentioned, you would have the backup if one was to fail.

I did set up to try and check this, but was not given alert from CHX on the half open connection limit reached,..... or my setup was incorrect. I will try another setup when I have more time.

[delerious]

Thanks for the replies Phant0m and Stem. I'm starting to get a little confused by this low-level networking stuff.

Will the TCP/IP stack always be involved? Does it always get the incoming packets and then hand them to CHX? Or could CHX be "in front of" the stack, which means that CHX would get all the incoming packets and the stack would never get anything and never do anything?

Stem: are you trying CHX 3.0 or 2.8? I heard there's a difference in driver implementation between the two versions (2.8 uses a filter hook driver and 3.0 uses a NDIS intermediate driver) so that might affect the behavior. I am running 3.0.

[Stem]

delerious,
I am using CHX3.

Thinking about it, CHX3 will be in front of the TCP/IP stack, or the limits/filters imposed within the settings would be of no use, as setting low limits on, say, half open connections within CHX could make the TCP/IP overflow waiting to pass packets.

[delerious]

Stem: you are right. I have discovered that NDIS intermediate drivers work at a lower level than the TCP/IP stack, so CHX will intercept incoming packets first.