MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Computer Related Discussions arrow Tips & Tricks arrow Topic: Incease TCPIP connections from 10 to infinite in Win7 safely
October 15, 2019, 09:56:22 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
October 15, 2019, 09:56:22 AM

Login with username, password and session length
 
News
Article Writers We are looking for quality, informational articles to add to our Computer Articles
Please contact us if you are interested in submitting some....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Incease TCPIP connections from 10 to infinite in Win7 safely  (Read 13243 times)
Doctor Smith
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 718


Dumb questions welcomed


Bookmark and Share

View Profile
« on: May 25, 2010, 04:48:43 PM »

How to dis-able the half-open TCP connections limit in Win 7 safely



so this is disable by default in Windows 7.

so does that means it will just build up as many connections it requires?

~

Short version: yes.


====================================
Real answer: It was never about limiting the number of connections. This mechanism used to limit the number of "half-open" TCP sessions in an effort to slow the propagation of malware from infected machines.

A TCP session between any two machines starts off with what's known as a "3-way handshake", even though there's only two machines . The name stems from the 3 packets required to "establish" the session:

1) Initiator sends a SYN packet informing the target of its intention to communicate and its own "synchronisation" sequence number offset.

2) Target responds with a SYN-ACK letting the initiator know that the first packet has been received ("acknowledged"), and informing the initiator of its own starting sync offset.

3) Initiator responds with an ACK, thereby completing the handshake sequence.

After all that, the session is established and the two sides can send information to each other until they decide to tear the session down.

A "half-open" session is one where the initial SYN (step 1) has been sent, but no response has yet been received. In other words, there's nothing yet to indicate that the target is willing to talk to us, or that it even exists on the IP/port that the SYN was sent to.

The "half-open" throttling mechanism used to limit the number of those not-yet-fully established sessions to a maximum of 10 at any time, because MS (rightly) felt that anything more constituted burst-type activity which was likely associated with malware trying to spread itself as fast as possible.

Given a latency of say 100ms, malware which is throttled in this way will spread much, much slower than if it's completely unbridled and able to initiate thousands of concurrent half-open sessions in an opportunistic fashion (fire off a ****load of SYNs all at once and just work with the targets which respond).

While the vast majority of legit applications don't behave in this manner, the two notable exceptions were torrent clients (stretching the definition of "legit" of course) and server-style apps which some companies ran on Windows clients to decrease their licensing costs. Torrent clients would sometimes bump up against the 10 half-open limit, and that would cause a scary-looking event to be logged. Many torrenters ended up "patching" the TCPIP.SYS driver in an attempt to knock out.




What the EnableConnectionRateLimiting does it that if its value if 0 or non-existent (Disabled), the operating sysstem will set the TcpCreateAndConnectTcbRateLimitDepth value 0 in the kernel memory, and the half-open outgoing TCP connections limit is removed immediate, without having to restart. The system will treat the new half-open TCP connections as always 0, and thus bypass the limit comparison altogether. Thus, you will notice that event ID 4226 will no longer been logged in Event Viewer. Likewise, when the EnableConnectionRateLimiting is set to 1 (Enabled), TcpCreateAndConnectTcbRateLimitDepth will also be set from 0 to 1 in the kernel memory, the OS will calculate the rated speed of
« Last Edit: May 25, 2010, 05:10:13 PM by Doctor Smith » Logged




Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page October 12, 2019, 10:08:54 AM