Solved

TCP/IP Embryonic Connections

Posted on 1997-04-24
2
407 Views
Last Modified: 2013-12-23
Where can I find the setting in NT that is the equivalent of the Unix SOMAXCONN?

For those that don't know, the reason you often get a 60 second delay in loading files from a Web site is due to a low SOMAXCONN setting.  The way it works is like this:

  1) The client contacts the server and asks for a connection.

  2) The server ACKs that and creates an entry in a table whose size is controlled by SOMAXCONN.  The connection is now in an "embyonic" state.

  3) The client ACKs the server, and the connection is properly established.

If there are more outstanding embryonic connections than there are entries in the table, the kernel drops the connection on the floor without telling anyone.  The client then waits 60 seconds before timing out.

This scheme worked great for NNTP, SMTP, FTP, and all the other protocols that were around pre-1991.  But HTTP with its short-lived, multiple connections per client, and with many clients connecting at the same time, creates real problems with this scheme when the table size is too low.  On a great many Unix boxes, the table size is only 5!

I'd like to verify the number used in NT and 95, if someone could point me in the right direction.  Thanks.
0
Comment
Question by:pedxing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
dmag earned 100 total points
ID: 1559865
You are talking about SYN denial-of-service attack.  For NT, this was addressed in the service Pack.  The new-connection queue size can vary dynamically, and can be changed per port.  See:

http://www.microsoft.com/kb/articles/q142/6/41.htm

0
 

Author Comment

by:pedxing
ID: 1559866
Actually, I am not talking about any kind of an attack.  I am talking about regularly configured web servers that lose standard http connections due to the number of embryonic (or half-open) connections.  In NT, these are identified as SYN_RECEIVED when using netstat.

There are two parameters that control this.  The listen() call allows the Web server to specify how many half-open connections it would like.  The SOMAXCONN (or equivalent in NT) specifies the size of table the kernel creates for monitoring this.  Unfortunately for all of us, if the kernel only allows 10 half-open connections and listen() asks for 500, the listen call will succeed but still only allow no more than 10 simultaneous half-open connections.

A SYN attack, for both a denial-of-service attack and a spoofing attack, can exacerbate the situation because it floods the target machine in the hopes of guessing correctly at one of the returned codes.  But the problem exists even if no attack is going on.

So you see, the service pack may help, but it doesn't let me verify the settings on my machine, which is my goal.

Thanks for the reference, though,  It had a lot of information, some of it relevant.  For example, it appears that I have to investigate the AFD settings in the registry.  Is AFD|Parameters|MaximumDynamicBacklog the setting?  What exactly does "backlog" refer to?  It was also interesting to read that the IIS has a default backlog of 25, and that programs have to be "dynamic backlog aware" in order to take advantage of the dynamic backlog.  How about those that aren't?  What registry setting do they use instead of MaximumDynamicBacklog?

THanks, you've gotten me closer to my goal and showed me the language to use to ask the question, but I am still not quite there yet.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
An article on effective troubleshooting
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question