Quote:
Win2K automatically monitors three counters that track the number of active TCP/IP ports and the number of ports in the half-open state to look for potential SYN attacks. When these counters exceed predefined thresholds, Win2K assumes that a SYN DoS attack is in progress. During a SYN DoS attack, TCP queries the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters subkey to determine how to respond. The subkey's SynAttackProtect entry determines the number of retries and the retry interval that TCP uses to time out a connection request. The SynAttackProtect entry has the type REG_DWORD and the value 0, 1, or 2.
Set the value to 1 or 2 on systems that connect directly to the Internet. These settings reduce the number of SYN-ACK retransmissions and the interval between them, which reduces the time that a system waits to time out valid and malicious connection requests. For the best protection against SYN DoS attacks, set the value to 2.
Set the SynAttackProtect entry to 1 or 2 for systems directly accessible from the Internet, especially those you don't protect with a firewall. (To verify that your firewall provides SYN attack and Ping of Death protection, check with the vendor.) Remember that when you implement this deterrent, you change the way the system responds to both valid and DoS connection requests.
Taken from: