Solved

TCP/IP Embryonic Connections

Posted on 1997-04-24
2
423 Views
Last Modified: 2013-12-23
Where can I find the setting in NT that is the equivalent of the Unix SOMAXCONN?

For those that don't know, the reason you often get a 60 second delay in loading files from a Web site is due to a low SOMAXCONN setting.  The way it works is like this:

  1) The client contacts the server and asks for a connection.

  2) The server ACKs that and creates an entry in a table whose size is controlled by SOMAXCONN.  The connection is now in an "embyonic" state.

  3) The client ACKs the server, and the connection is properly established.

If there are more outstanding embryonic connections than there are entries in the table, the kernel drops the connection on the floor without telling anyone.  The client then waits 60 seconds before timing out.

This scheme worked great for NNTP, SMTP, FTP, and all the other protocols that were around pre-1991.  But HTTP with its short-lived, multiple connections per client, and with many clients connecting at the same time, creates real problems with this scheme when the table size is too low.  On a great many Unix boxes, the table size is only 5!

I'd like to verify the number used in NT and 95, if someone could point me in the right direction.  Thanks.
0
Comment
Question by:pedxing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
dmag earned 100 total points
ID: 1559865
You are talking about SYN denial-of-service attack.  For NT, this was addressed in the service Pack.  The new-connection queue size can vary dynamically, and can be changed per port.  See:

http://www.microsoft.com/kb/articles/q142/6/41.htm

0
 

Author Comment

by:pedxing
ID: 1559866
Actually, I am not talking about any kind of an attack.  I am talking about regularly configured web servers that lose standard http connections due to the number of embryonic (or half-open) connections.  In NT, these are identified as SYN_RECEIVED when using netstat.

There are two parameters that control this.  The listen() call allows the Web server to specify how many half-open connections it would like.  The SOMAXCONN (or equivalent in NT) specifies the size of table the kernel creates for monitoring this.  Unfortunately for all of us, if the kernel only allows 10 half-open connections and listen() asks for 500, the listen call will succeed but still only allow no more than 10 simultaneous half-open connections.

A SYN attack, for both a denial-of-service attack and a spoofing attack, can exacerbate the situation because it floods the target machine in the hopes of guessing correctly at one of the returned codes.  But the problem exists even if no attack is going on.

So you see, the service pack may help, but it doesn't let me verify the settings on my machine, which is my goal.

Thanks for the reference, though,  It had a lot of information, some of it relevant.  For example, it appears that I have to investigate the AFD settings in the registry.  Is AFD|Parameters|MaximumDynamicBacklog the setting?  What exactly does "backlog" refer to?  It was also interesting to read that the IIS has a default backlog of 25, and that programs have to be "dynamic backlog aware" in order to take advantage of the dynamic backlog.  How about those that aren't?  What registry setting do they use instead of MaximumDynamicBacklog?

THanks, you've gotten me closer to my goal and showed me the language to use to ask the question, but I am still not quite there yet.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question