I would like to make sure that my Windows 2008 servers are hardened against DDOS attacks.
There is a Microsoft Technet article on Hardening the TCP/IP stack, but it was last revised in January 2006. There is another article (somewhat duplicative) specifically for Windows Server 2003, but I can't find one for Windows Server 2008.
Does anyone know if these protections are already in place in Windows Server 2008's TCP/IP stack or if they are still relevant?
I found a portion of a book on Safari called Windows Server 2008 TCP/IP Protocols and Services that read:
TCP in Windows Server 2008 and Windows Vista use SYN attack protection to prevent a SYN attack from overwhelming the computer.
and
TCP in Windows Server 2008 and Windows Vista no longer supports the TcpMaxConnectResponseRetransmissions, SynAttackProtect, TcpMaxHalfOpen, and TcpMaxHalfOpenRetried registry values.
...but I can't find a mention of the other registry values nor a second source for this information.
They re-wrote the TCP/IP stack in Vista/2008 and included many security related changes.
You may be interested in reading the "Next Generation TCP/IP Stack" document from Microsoft as it contains links to the new registry settings, enhancements & security protections and others.
Check out the DISA / NSA Windows 2008 Server Security and Technical Implementation Guide (STIG) here (Scroll down for Windows guides): DISA IASE Site
The STIG has a number of security tweeks and registry changes designed to harden your network stack (and local machine in general).