• NetCrunch Overview
• Features
• Screenshots
• Product Info
  • FAQ
  • Benefits
  • Editions
  • Licensing
  • What's new
• Related Links
  • Press Coverage
  • Customer Stories
  • Customer Comments
  • NetCrunch Audience
  • Our Customers
• Download

TCP/IP limitations of some desktop versions of Windows

Some desktop versions of Microsoft Windows, including:

• Windows XP with Service Pack 2 (SP2)
• Windows XP with Service Pack 3 (SP3)
• Windows Vista
• Windows Vista with Service Pack 1 (SP1)

limit the number of half-open outbound TCP connections (SYN) to the maximum of 10 per second.

Service Pack 2 (SP2) for Windows Vista removes the limit. By default, Windows Vista with SP2 has no limit on the number of half-open outbound TCP connections.

The limit was supposed to slow down certain viruses as they spread by attempting to connect to a high amount of random IP numbers.

However, the drawback of this connection limit is that functionality of the legitimate network monitoring applications, such as NetCrunch, can be negatively affected. It can significantly slow down network monitoring process and delay connections to the event database.

Explanation

The TCP/IP stack from Windows XP with Service Pack 2 (SP2) to Windows Vista with Service Pack 1 (SP1) limits the number of concurrent, incomplete outbound TCP connection attempts.

When the limit is reached, subsequent connection attempts are put in a queue and resolved at a fixed rate so that there are only a limited number of connections in the incomplete state. During normal operation, when programs are connecting to available hosts at valid IP addresses, no limit is imposed on the number of connections in the incomplete state. When the number of incomplete connections exceeds the limit, for example, as a result of programs connecting to IP addresses that are not valid, connection-rate limitations are invoked, and this event is logged.

Establishing connection-rate limitations helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in failed connections, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.

Details of a record in Windows Event Log when the event occurs

• Product: Windows Operating System
• ID: 4226
• Source: TCPIP
• Symbolic Name: EVENT_TCPIP_TCP_CONNECT_LIMIT_REACHED
• Message: TCP/IP has reached the security limit imposed on the number of concurrent (incomplete) TCP connect attempts.