Jump to content

How to patch tcp connection limit?


melodylife

Recommended Posts


I can't actually help you with this but whilst I am here, can

anyone shed any light on whether doing this to peoples

computers is legal or not? I am not talking about patching

TCPIP.SYS - I am talking about what Microsoft are doing.

Your machine is capable of having more than 65,000 open

connections at one time, in other words, your machine, or

any machine used in any company, in general, is capable

of connecting to 65,000+ other machines.

What Microsoft do is limit this from 65,000+ down to just TEN.

Is that legal?

Since it is your hardware they are messing with, do they

even have a legal right to do this to people's machines?

What does a company do when they need to connect to an

11th computer? Look at the productivity losses that this

causes. Do Microsoft have a warning on their so-called

"hotfix" telling people it will limit their connection from

65,000 down to just 10? Even if they did have a warning,

which I highly doubt they do, it would still not make it

legal if it is in fact not legal.

They need to be sued, by every individual.

Edited by LeveL
Link to comment
Share on other sites

Very unlikely - I am almost 100% sure it won't work.

If you're going to do that make sure you save a copy of

TCPIP.SYS somewhere!

Remember, Vista does not have TCPIP.SY_ in an I386 folder

like all other previous versions of Windows - yet another of

the hundreds or even thousands of reasons why I wouldn't

go near Vista with a barge pole.

INSTALL.WIM ?????????????? :blink:

What the hell were Microsoft thinking? Why have they made

Vista so all the files are locked away in a WIM image? They are

complete TOOLS for doing that, how does locking all the files

away in a WIM image help anyone? Just proves really that

Microsoft are obviously not out to help people, I think the

discerning among us can see that.

Edited by LeveL
Link to comment
Share on other sites

I can't actually help you with this but whilst I am here, can

anyone shed any light on whether doing this to peoples

computers is legal or not? I am not talking about patching

TCPIP.SYS - I am talking about what Microsoft are doing.

Your machine is capable of having more than 65,000 open

connections at one time, in other words, your machine, or

any machine used in any company, in general, is capable

of connecting to 65,000+ other machines.

What Microsoft do is limit this from 65,000+ down to just TEN.

Is that legal?

Since it is your hardware they are messing with, do they

even have a legal right to do this to people's machines?

What does a company do when they need to connect to an

11th computer? Look at the productivity losses that this

causes. Do Microsoft have a warning on their so-called

"hotfix" telling people it will limit their connection from

65,000 down to just 10? Even if they did have a warning,

which I highly doubt they do, it would still not make it

legal if it is in fact not legal.

They need to be sued, by every individual.

Aside from LEGAL standpoint, what about TECHNICAL reasons? I'm not familiar with the standards, but where in the world is this limitation defined (apart from Microsoft)? Something like RFC or some ISO page... Anybody knows? Or (what I suspect) did Microsoft completely INVENT this for our own good (as usual)? I haven't heard it exists in any other OS.

I'm talking about the 10 half-open connection limit introduced in XP SP2. Since the original poster said that it's the same in Vista, I have no reason to believe the opposite. Before someone comes up with the usual "it's no big deal" defence, I must say that I have witnessed with my own eyes the impact of this limitation. I had dialup only until recently and this limit devastated P2P programs. As insane as it might seem, they worked quite satisfactory before SP2. This limitation CRIPPLED the NUMBER of PEERS that the program connects to, effectively KILLING P2P programs. I think this extremity (dialup speed) showed the true intent behind this artificial limitation. And let's not forget that, by itself, any P2P program is not necessary illegal. For example, Skype also uses P2P technology (but I don't know if it's affected by this).

The alleged purpose, limiting the speed of spreading of worms/trojans, is quite effectively debunked here.

GL

Edited by GrofLuigi
Link to comment
Share on other sites

For the most part it's built-in to keep people from running XP or Vista as a server OS - the server versions of Windows have no such connection limitations, whereas the desktop OS products are limited to 10 connections on purpose mostly for this reason. Microsoft wants you to purchase a server OS version to run on a server (or a workstation you're using as a server, which I guess does make it a server :)).

Link to comment
Share on other sites

For the most part it's built-in to keep people from running XP or Vista as a server OS - the server versions of Windows have no such connection limitations, whereas the desktop OS products are limited to 10 connections on purpose mostly for this reason. Microsoft wants you to purchase a server OS version to run on a server (or a workstation you're using as a server, which I guess does make it a server :)).

Exactly. But they shouldn't advertize it as a security enhancement.

GL

Link to comment
Share on other sites

For the most part it's built-in to keep people from running XP or Vista as a server OS - the server versions of Windows have no such connection limitations, whereas the desktop OS products are limited to 10 connections on purpose mostly for this reason. Microsoft wants you to purchase a server OS version to run on a server (or a workstation you're using as a server, which I guess does make it a server :)).

Exactly. But they shouldn't advertize it as a security enhancement.

GL

Well, I think you're thinking of the limit on OUTBOUND incomplete connections., which is a security enhancement - if not for the user themselves. for the rest of us. There is a limit on COMPLETE outbound connections, but it's around 65,000, and that's actually a 32bit limitation, rather than a Windows limitation.

The 10 connections I was referring to was the 10 INBOUND connection limit, which is designed to get people to purchase a server product for a machine hosting more than 10 inbound connections. The OP (melodylife) did not specify inbound or outbound, so I assumed outbound as the OP did not specifically state that this was about incomplete outbound connections, but connections in general.

In short, there are limitations in Windows client OSes on inbound and outbound connections:

- 10 incoming connections, always enforced

- 10 outbound connections, when connections are considered "incomplete" (half-open)

- 65,536 outbound connections, when connections are considered "complete"

Link to comment
Share on other sites

I am also interested in increasing the number of connections. Isn't there any hacker in the entire world who can do it? All you have to do is find the number 10 in hex in the file, change it to 100 and then update the crc. It can't be that difficult! After all, this was accomplished on WinXP!

Link to comment
Share on other sites

Wow, this FUD is still doing the rounds...

Assuming that the issue is the outbound TCP/IP connection restriction brought in with XP SP2, no it is not "illegal" for Microsoft to implement a design change to their OS which you are running.

The article linked which "debunks the value" of the hotfix is erroneous also - it is not capping outbound connections at 10 per second, that would just create a bottleneck for genuine LAN-based activity.

The real change was to introduce a limit on the numer of OUTBOUND, HALF OPEN connections over the TCP protocol - at any given time there can be a maximum of 10 connections in the "SYN" (synchronize) state.

As soon as the TCP handshake has taken place to establish the session, the connection is no longer HALF open and does not count towards the limit.

So how does this help protect against worms?

An infected client machine attempts to connect to IP addresses, as it has no idea of where "real" potential victim machines might be - early worms simply worked their way up the subnet increasing the address 1 at a time, and later versions randomized it and had algorithms to favour infecting local machines but also attempt those in other subnets.

Pre-SP2, the client could use every single source port available in attempting to locate and infect other machines - around 64,512 - and it could send those requests as fast as the OS could forward them on.

Result: very rapidly-spreading worm

Now, say the worm still generates a list of addresses it is going to try to infect and runs on a post-SP2 system.

First of all the rate at which the connection attempts can be made is unrestricted, until the 10 "half open" limit is hit - in the case of this worm's behaviour it should cause the system to trip the limit almost immediately.

Let's say half of the 10 addresses were valid and completed the session setup request, now there are 5 more outbound TCP connetions that can be attempted and the next 5 in the list are tested.

Of these 5, only 2 respond, so the next 2 in the list are tested.

Let's say for argument's sake that the last 2 do not respond, so now the client has hit the limit of 10 half-open TCP connection attempts and will not make any more until at least 1 has timed out or completed.

Result: very slowly-spreading worm (not at a rate of "10 per second")

So why does this affect P2P so badly?

Very bad design of P2P, basically.

Users like to emply firewalls, which is great, only this makes their machines completely unresponsive to connection requests on unadvertised ports.

P2P clients obtain a list of peers and seeds for a given file, and then blindly attempt to connect to every single one of them to query them.

Result: If the first 10 in the list that the client tries to connect to are all firewalled (so never get the request) then the client is unable to send any more connection requests until at least 1 has timed out

The P2P system would benefit from using a "pingback" UDP method to first verify the connectivity and availability between peers, so that those behind NAT routers or using firewalls will not affect performance for everyone else quite so badly.

I don't believe Skype is affected by this issue, I have certainly not had any problems with it - probably as it is transmitting realtime data and so it can't waste time on peers that aren't able to assist with routing traffic.

Link to comment
Share on other sites

Cluberti:

Of course I was talking about the outgoing conn. limit, first implemented by Microsoft in XP SP2, aka Event ID 4226. That's what the OP asked, although the discussion slipped towards XP a little.

I didn't know there was a limit on the inbound connections. Well, it might be the same as the familiar XP limit of 10 users connecting to the machine simultaneously (file and printer sharing AND/OR terminal services) - that's what it differentiates it from the Server. But a limit on ANY inbound tcp/ip connection is a different thing in my book. Oh well, I guess we could just go on living with it as before, as nobody has reported problems with that yet. Ignorance is sometimes bliss... and that confirms the old one "if you want server, buy server OS". :)

65535 is another funny number, apart from being nice round in hex, I don't know if there is any reason to limit the number of total connections... But if we accept the above logic of server vs workstation OS, no objections here.

Mr Snrub:

Very nice explanation, and very true. But, we may never know if it was effective and if, since its introduction, has saved millions of machines out there or not. I look at the issue (of virus busting) the other way around: yet today, if you check your firewall, you see tens of hits per minute. I think that pre-SP2 machines are still majority on the Internet (and infected SP2 machines). So, if you are the target, it makes no difference - you are still being hit, and if unprotected, this limit won't save you. Might be OK for the future, but by that time virus writers will catch up...

What is not OK is the manner of implementation (breaking existing programs) and the inability to turn it off. As I have said, I have witnessed with my own eyes how this thing cripples P2P on slow connections (although by that time, all P2P programs had configuration options to lower the number of conn. attempts per second - nevertheless, Event ID 4226 appeared almost instantly).

So, until new programs/protocols appear that implement the connection more robustly (as you suggest), we're stuck with what... 100s of P2P programs that we used until recently? Microsoft appeared to care about legacy applications in the past (even dragged DOS compatibility for decades), but now... Wait, wasn't it around SP2 when they introduced their own P2P protocol? Everything is just too convenient here.

GL

Link to comment
Share on other sites

Sorry for double post, I just noticed this:

no it is not "illegal" for Microsoft to implement a design change to their OS which you are running.

While I agree with your conclusions/explanations and respect your knowledge, this sentence sent chills down my spine. With this concept I will never agree. Accepting the risk of being struck or worse for offtopic, I will just try to be short:

If you BUY a car, are you not allowed to open the hood? Are you not allowed to change oil yourself? Are you not allowed to install non-factory (better) parts (i.e. tires)? Are you not allowed to smash it into a wall if you feel like it (of course, assuming nobody gets hurt)? What have I bought when I bought XP?

Mr Snrub, nothing personal, it was not directed at you. I just see this much too often recently, I had to let it off my chest.

GL

Link to comment
Share on other sites

You can always reinstall the system with sp1 and not install any further updates if you wich.

For me as a corp. It-manager and programmer I must say it was a very good design change.

Take an aggresive virus like sasser and place it on corp net. With SP2, outbreak rate vill be much lower and therefore there will probly be bandwith left to fight the outbreak on. With SP1 it will consume everything directly.

When it commes to problems with p2p software: This is no backward compability issue. Twoway handshakes will never bee the right way of doing connections, it has never been either. It's pure bugs in that code that should have been fixed from the first day they wrote their apps.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...