Solved

TCP/IP Embryonic Connections

Posted on 1997-04-24
2
400 Views
Last Modified: 2013-12-23
Where can I find the setting in NT that is the equivalent of the Unix SOMAXCONN?

For those that don't know, the reason you often get a 60 second delay in loading files from a Web site is due to a low SOMAXCONN setting.  The way it works is like this:

  1) The client contacts the server and asks for a connection.

  2) The server ACKs that and creates an entry in a table whose size is controlled by SOMAXCONN.  The connection is now in an "embyonic" state.

  3) The client ACKs the server, and the connection is properly established.

If there are more outstanding embryonic connections than there are entries in the table, the kernel drops the connection on the floor without telling anyone.  The client then waits 60 seconds before timing out.

This scheme worked great for NNTP, SMTP, FTP, and all the other protocols that were around pre-1991.  But HTTP with its short-lived, multiple connections per client, and with many clients connecting at the same time, creates real problems with this scheme when the table size is too low.  On a great many Unix boxes, the table size is only 5!

I'd like to verify the number used in NT and 95, if someone could point me in the right direction.  Thanks.
0
Comment
Question by:pedxing
2 Comments
 
LVL 1

Accepted Solution

by:
dmag earned 100 total points
ID: 1559865
You are talking about SYN denial-of-service attack.  For NT, this was addressed in the service Pack.  The new-connection queue size can vary dynamically, and can be changed per port.  See:

http://www.microsoft.com/kb/articles/q142/6/41.htm

0
 

Author Comment

by:pedxing
ID: 1559866
Actually, I am not talking about any kind of an attack.  I am talking about regularly configured web servers that lose standard http connections due to the number of embryonic (or half-open) connections.  In NT, these are identified as SYN_RECEIVED when using netstat.

There are two parameters that control this.  The listen() call allows the Web server to specify how many half-open connections it would like.  The SOMAXCONN (or equivalent in NT) specifies the size of table the kernel creates for monitoring this.  Unfortunately for all of us, if the kernel only allows 10 half-open connections and listen() asks for 500, the listen call will succeed but still only allow no more than 10 simultaneous half-open connections.

A SYN attack, for both a denial-of-service attack and a spoofing attack, can exacerbate the situation because it floods the target machine in the hopes of guessing correctly at one of the returned codes.  But the problem exists even if no attack is going on.

So you see, the service pack may help, but it doesn't let me verify the settings on my machine, which is my goal.

Thanks for the reference, though,  It had a lot of information, some of it relevant.  For example, it appears that I have to investigate the AFD settings in the registry.  Is AFD|Parameters|MaximumDynamicBacklog the setting?  What exactly does "backlog" refer to?  It was also interesting to read that the IIS has a default backlog of 25, and that programs have to be "dynamic backlog aware" in order to take advantage of the dynamic backlog.  How about those that aren't?  What registry setting do they use instead of MaximumDynamicBacklog?

THanks, you've gotten me closer to my goal and showed me the language to use to ask the question, but I am still not quite there yet.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
Resolve DNS query failed errors for Exchange
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question