One of the security improvements in WindowsXP sp2 is a limit placed on the number of simultaneous incomplete outbound TCP connection attempts. This limit happens to be 10 connection per second, which just happens to adversely affect a number of p2p applications. To find out whether you are affected by this, check your System Event Log for Tcpip warnings with the event number 4226.
Its won't be a surprise to anyone that the community came up with a “fix”, a patch actually, that changes some bits in the tcpip.sys file. This is not something I would condone, so I won't link to it. My question is, does anyone know of a non-invasive way to override this limit? (perhaps through registry?). Could someone comment on the appropriate way for a p2p application to get around this new limit?
Here's the relevant excerpt from a TechNet document on sp2 changes:
Limited number of simultaneous incomplete outbound TCP connection attempts
Detailed description
The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system’s event log.
Why is this change important? What threats does it help mitigate?
This change helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in a failed connection, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.
What works differently?
This change may cause certain security tools, such as port scanners, to run more slowly.
How do I resolve these issues?
Stop the application that is responsible for the failing connection attempts.
posted @ Wednesday, August 11, 2004 11:14 PM