Sign In
Register
Help
Hi
Just found this in my event-log after starting emule:
"EventID 4226
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts"
This is what I get from a Microsoft-Guy when i asked him why XPSP2 slows down programs like emule which open many connections to different destinations:
"Thanks very much for responding. This new feature is one of the stack's
"springboards", security features designed to proactively reduce the
future threat from attacks like blaster and Sasser that typically spread
by opening connections to random addresses. In fact, if this feature had
already been deployed, Sasser would have taken much longer to spread.
It's not likely to help stop the spread of spam unless spammers are
trying to reach open email relays in the same way, by opening
connections on smtp ports of random IP addresses.
This is new with XP SP2 and we're trying to get it right so that it does
not interfere with normal system operation or performance of normal,
legitimate applications, but does slow the spread of viral code. New
connection attempts over the limit for half-open connections get queued
and worked off at a certain (limited rate)."
If anyone knows how to switch it off please leave a comment...
Its from Warp2search.net
[WIN] [XPSP2B] XPSP2 will limit your max. connections/sec
Rate Topic:
MultiQuote
#2
- You can sleep when you're dead.
-
- Group: Members
- Posts: 2260
- Joined: 02-January 03
- Location:Pittsburgh
- Interests:computers (no duh), A/V gear and recording, Quake 3 Arena, music, and other stuff i cant remember
Posted 21 July 2004 - 01:42 AM
well that explains my crappy luck with bittorrent recently... :(
#4
- Remote Support Analyst
-
- Group: Sponsors
- Posts: 2068
- Joined: 10-September 02
- Location:SK, Canada
Posted 21 July 2004 - 06:20 AM
well... JEEBUS.
I noticed something a little... POOR about how this works. They better get this straight. If I want to open lots of connections.. I damn well want to be able to!
I noticed something a little... POOR about how this works. They better get this straight. If I want to open lots of connections.. I damn well want to be able to!
#8
- Custom member title
-
- Group: Moderators
- Posts: 3148
- Joined: 04-September 02
- Gender:Male
- Location:Florida, USA
Posted 22 July 2004 - 02:29 AM
:huh: (bell == ringing...) That sounds really familiar, Give this stuff a shot.
Quote
Microsoft published how to harden NT's tcpip stack against these attacks.
The registry hacks documented here are taken from Microsoft sources.
Synattack protection involves reducing the amount of retransmissions for
the SYN-ACKS, which will reduce the time for which resources have to remain
allocated. The allocation of route cache entry resources is delayed until a
connection is made. If synattackprotect = 2, then the connection indication
to AFD is delayed until the three-way handshake is completed. Also note that
the actions taken by the protection mechanism only occur if TcpMaxHalfOpen
and TcpMaxHalfOpenRetried settings are exceeded.
Apply the following registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: SynAttackProtect
Type: REG_DWORD
Value: 0
no syn attack protection
Value: 1
reduced retransmission retries and delayed RCE ( route cache entry ) creation
if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are satisfied.
Value: 2
adds delayed indication to Winsock to setting of 1
When the system finds itself under attack the following options on any socket
can no longer be enabled : Scalable windows (RFC 1323) and per adapter
configured TCP parameters ( Initial RTT, window size ). This is because when
protection is functioning the route cache entry is not queried before the
SYN-ACK is sent and the Winsock options are not available at this stage of
the connection.
TcpMaxHalfOpen
parameter controls the number of connections in the SYN-RCVD state allowed
before SYN-ATTACK protection begins to operate. If SynAttackProtect is
set to 1, ensure that this value is lower than the AFD listen backlog on
the port you want to protect.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: TcpMaxHalfOpen
Type: REG_DWORD
Value: 100
Professional, Server
Value: 500
Advanced Server
The registry hacks documented here are taken from Microsoft sources.
Synattack protection involves reducing the amount of retransmissions for
the SYN-ACKS, which will reduce the time for which resources have to remain
allocated. The allocation of route cache entry resources is delayed until a
connection is made. If synattackprotect = 2, then the connection indication
to AFD is delayed until the three-way handshake is completed. Also note that
the actions taken by the protection mechanism only occur if TcpMaxHalfOpen
and TcpMaxHalfOpenRetried settings are exceeded.
Apply the following registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: SynAttackProtect
Type: REG_DWORD
Value: 0
no syn attack protection
Value: 1
reduced retransmission retries and delayed RCE ( route cache entry ) creation
if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are satisfied.
Value: 2
adds delayed indication to Winsock to setting of 1
When the system finds itself under attack the following options on any socket
can no longer be enabled : Scalable windows (RFC 1323) and per adapter
configured TCP parameters ( Initial RTT, window size ). This is because when
protection is functioning the route cache entry is not queried before the
SYN-ACK is sent and the Winsock options are not available at this stage of
the connection.
TcpMaxHalfOpen
parameter controls the number of connections in the SYN-RCVD state allowed
before SYN-ATTACK protection begins to operate. If SynAttackProtect is
set to 1, ensure that this value is lower than the AFD listen backlog on
the port you want to protect.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: TcpMaxHalfOpen
Type: REG_DWORD
Value: 100
Professional, Server
Value: 500
Advanced Server
#10
- n00b
-
- Group: Members
- Posts: 7
- Joined: 08-June 04
Posted 22 July 2004 - 06:34 AM
XP_2600, on Jul 20 2004, 23:08, said:
Hi
Just found this in my event-log after starting emule:
"EventID 4226
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts"
This is what I get from a Microsoft-Guy when i asked him why XPSP2 slows down programs like emule which open many connections to different destinations:
"Thanks very much for responding. This new feature is one of the stack's
"springboards", security features designed to proactively reduce the
future threat from attacks like blaster and Sasser that typically spread
by opening connections to random addresses. In fact, if this feature had
already been deployed, Sasser would have taken much longer to spread.
It's not likely to help stop the spread of spam unless spammers are
trying to reach open email relays in the same way, by opening
connections on smtp ports of random IP addresses.
This is new with XP SP2 and we're trying to get it right so that it does
not interfere with normal system operation or performance of normal,
legitimate applications, but does slow the spread of viral code. New
connection attempts over the limit for half-open connections get queued
and worked off at a certain (limited rate)."
If anyone knows how to switch it off please leave a comment...
Its from Warp2search.net
Just found this in my event-log after starting emule:
"EventID 4226
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts"
This is what I get from a Microsoft-Guy when i asked him why XPSP2 slows down programs like emule which open many connections to different destinations:
"Thanks very much for responding. This new feature is one of the stack's
"springboards", security features designed to proactively reduce the
future threat from attacks like blaster and Sasser that typically spread
by opening connections to random addresses. In fact, if this feature had
already been deployed, Sasser would have taken much longer to spread.
It's not likely to help stop the spread of spam unless spammers are
trying to reach open email relays in the same way, by opening
connections on smtp ports of random IP addresses.
This is new with XP SP2 and we're trying to get it right so that it does
not interfere with normal system operation or performance of normal,
legitimate applications, but does slow the spread of viral code. New
connection attempts over the limit for half-open connections get queued
and worked off at a certain (limited rate)."
If anyone knows how to switch it off please leave a comment...
Its from Warp2search.net
This is the key to add to modify the maximum number of simultaneous connections
TcpNumConnections
Key: Tcpip\Parameters
Value Type: REG_DWORD - Number
Valid Range: 0 - 0xfffffe
Default: 0xfffffe
Description: This parameter limits the maximum number of connections that TCP can have open simultaneously.
128 decimal or 80 hexadecimal ---------------->>>0xfffffe
Hope fix that :ph34r:
#11
- Member
-
- Group: Members
- Posts: 63
- Joined: 31-March 03
Posted 22 July 2004 - 06:49 AM
also reads "Yeah the "fix" does not help, setting it to 0 just makes it go back to default too."
followed by:
followed by:
I have put the following into the reg to see what affect it would have, and it seems to have stoppped the error for the moment.. [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters] "TcpNumConnections"=dword:00000020
This post has been edited by dutchie: 22 July 2004 - 06:55 AM
#12
- n00b
-
- Group: Members
- Posts: 7
- Joined: 08-June 04
Posted 22 July 2004 - 06:56 AM
dutchie, on Jul 22 2004, 05:49, said:
I have seen that lines somewhere two but i cannot find the place in my registry to verifie it.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip]
"TcpNumConnections"=dword:00000080
original
then change "TcpNumConnections"=dword:0xfffffe
if u dont have TcpNumConnections u can add to the registry create a DWORD key
remember to restart after that
im testing that and some other possible chains implicate
cheers
