Solved

TCP/IP Embryonic Connections

Posted on 1997-04-24
2
384 Views
Last Modified: 2013-12-23
Where can I find the setting in NT that is the equivalent of the Unix SOMAXCONN?

For those that don't know, the reason you often get a 60 second delay in loading files from a Web site is due to a low SOMAXCONN setting.  The way it works is like this:

  1) The client contacts the server and asks for a connection.

  2) The server ACKs that and creates an entry in a table whose size is controlled by SOMAXCONN.  The connection is now in an "embyonic" state.

  3) The client ACKs the server, and the connection is properly established.

If there are more outstanding embryonic connections than there are entries in the table, the kernel drops the connection on the floor without telling anyone.  The client then waits 60 seconds before timing out.

This scheme worked great for NNTP, SMTP, FTP, and all the other protocols that were around pre-1991.  But HTTP with its short-lived, multiple connections per client, and with many clients connecting at the same time, creates real problems with this scheme when the table size is too low.  On a great many Unix boxes, the table size is only 5!

I'd like to verify the number used in NT and 95, if someone could point me in the right direction.  Thanks.
0
Comment
Question by:pedxing
2 Comments
 
LVL 1

Accepted Solution

by:
dmag earned 100 total points
ID: 1559865
You are talking about SYN denial-of-service attack.  For NT, this was addressed in the service Pack.  The new-connection queue size can vary dynamically, and can be changed per port.  See:

http://www.microsoft.com/kb/articles/q142/6/41.htm

0
 

Author Comment

by:pedxing
ID: 1559866
Actually, I am not talking about any kind of an attack.  I am talking about regularly configured web servers that lose standard http connections due to the number of embryonic (or half-open) connections.  In NT, these are identified as SYN_RECEIVED when using netstat.

There are two parameters that control this.  The listen() call allows the Web server to specify how many half-open connections it would like.  The SOMAXCONN (or equivalent in NT) specifies the size of table the kernel creates for monitoring this.  Unfortunately for all of us, if the kernel only allows 10 half-open connections and listen() asks for 500, the listen call will succeed but still only allow no more than 10 simultaneous half-open connections.

A SYN attack, for both a denial-of-service attack and a spoofing attack, can exacerbate the situation because it floods the target machine in the hopes of guessing correctly at one of the returned codes.  But the problem exists even if no attack is going on.

So you see, the service pack may help, but it doesn't let me verify the settings on my machine, which is my goal.

Thanks for the reference, though,  It had a lot of information, some of it relevant.  For example, it appears that I have to investigate the AFD settings in the registry.  Is AFD|Parameters|MaximumDynamicBacklog the setting?  What exactly does "backlog" refer to?  It was also interesting to read that the IIS has a default backlog of 25, and that programs have to be "dynamic backlog aware" in order to take advantage of the dynamic backlog.  How about those that aren't?  What registry setting do they use instead of MaximumDynamicBacklog?

THanks, you've gotten me closer to my goal and showed me the language to use to ask the question, but I am still not quite there yet.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now