Solved

TCP/IP Embryonic Connections

Posted on 1997-04-24
2
391 Views
Last Modified: 2013-12-23
Where can I find the setting in NT that is the equivalent of the Unix SOMAXCONN?

For those that don't know, the reason you often get a 60 second delay in loading files from a Web site is due to a low SOMAXCONN setting.  The way it works is like this:

  1) The client contacts the server and asks for a connection.

  2) The server ACKs that and creates an entry in a table whose size is controlled by SOMAXCONN.  The connection is now in an "embyonic" state.

  3) The client ACKs the server, and the connection is properly established.

If there are more outstanding embryonic connections than there are entries in the table, the kernel drops the connection on the floor without telling anyone.  The client then waits 60 seconds before timing out.

This scheme worked great for NNTP, SMTP, FTP, and all the other protocols that were around pre-1991.  But HTTP with its short-lived, multiple connections per client, and with many clients connecting at the same time, creates real problems with this scheme when the table size is too low.  On a great many Unix boxes, the table size is only 5!

I'd like to verify the number used in NT and 95, if someone could point me in the right direction.  Thanks.
0
Comment
Question by:pedxing
2 Comments
 
LVL 1

Accepted Solution

by:
dmag earned 100 total points
ID: 1559865
You are talking about SYN denial-of-service attack.  For NT, this was addressed in the service Pack.  The new-connection queue size can vary dynamically, and can be changed per port.  See:

http://www.microsoft.com/kb/articles/q142/6/41.htm

0
 

Author Comment

by:pedxing
ID: 1559866
Actually, I am not talking about any kind of an attack.  I am talking about regularly configured web servers that lose standard http connections due to the number of embryonic (or half-open) connections.  In NT, these are identified as SYN_RECEIVED when using netstat.

There are two parameters that control this.  The listen() call allows the Web server to specify how many half-open connections it would like.  The SOMAXCONN (or equivalent in NT) specifies the size of table the kernel creates for monitoring this.  Unfortunately for all of us, if the kernel only allows 10 half-open connections and listen() asks for 500, the listen call will succeed but still only allow no more than 10 simultaneous half-open connections.

A SYN attack, for both a denial-of-service attack and a spoofing attack, can exacerbate the situation because it floods the target machine in the hopes of guessing correctly at one of the returned codes.  But the problem exists even if no attack is going on.

So you see, the service pack may help, but it doesn't let me verify the settings on my machine, which is my goal.

Thanks for the reference, though,  It had a lot of information, some of it relevant.  For example, it appears that I have to investigate the AFD settings in the registry.  Is AFD|Parameters|MaximumDynamicBacklog the setting?  What exactly does "backlog" refer to?  It was also interesting to read that the IIS has a default backlog of 25, and that programs have to be "dynamic backlog aware" in order to take advantage of the dynamic backlog.  How about those that aren't?  What registry setting do they use instead of MaximumDynamicBacklog?

THanks, you've gotten me closer to my goal and showed me the language to use to ask the question, but I am still not quite there yet.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now