General discussion

Locked

Limit on TCP connection attempts

By sheiba ·
Source: TcpIp
Event I 4226
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
(Tcpip.sys file size: 359,808 bytes)

I have the Firewall set to 'don't allow exceptions' Maybe this setting has created that event ID.


MS have limited the concurrent connections for XP SP2 (where the tcpip.sys file size is 359,808 bytes) to 10. It appears that a security download has changed the file from the original size 359,040 bytes to 359,808.
This in turn has altered the offset from file size 359,040 with the offset 4F433 hex to some unknown offset. Is their work around or does someone knows the new offset. I do not like to have unresolved errors on our systems. I can not locate a registry entry either. Nor is MS helpful.

Anyone know????

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Concurrent Connections

by BFilmFan In reply to Limit on TCP connection a ...

You have more than 10 IP connections.

XP can only have 10 IP connections.

Collapse -

Is that the question?

by stress junkie In reply to Concurrent Connections

My first impression was the same as yours. That's because the original post started talking about concurrent connections at the end of the post. However the beginning of the post cites a MS error code and definition about the TCP connection rate. I'm wondering if the writer is confusing two issues, and if the first issue is the result of using syn flood protection. If it is a case of the firewall taking evasive action in the face of a syn packet flood then there is nothing wrong.

???

Maybe. Maybe not. The original post is a bit unclear to me.

Collapse -

Agreed

by BFilmFan In reply to Is that the question?

Perhaps they can clarify what they are discussing.

Collapse -

concurrent connection

by sheiba In reply to Agreed

Sorry about being unclear.
The event code suggests that I have exceeded my 10 concurrent connections and that the security policy has been enforced.
In reality their are no 10 or more connections.
No sync flooding, pinging etc.
I have set the firewall (windows) to 'no exceptions'. My router has all the security setting that protect the network from attack.
I do not get spam, virus etc, and all the pc's are permantly on the net.
The problem is that MS says that I have exceeded the concurrent connection limit. Is it because I have set the PC firewall to 'no exceptions'? If so, then it is a false positive.
This error does not occur on Windows Xp Pro x64.

Collapse -

Event ID 4226

by danny In reply to Limit on TCP connection a ...

Remove the limit on TCP connection attempts

Windws XP SP2 introduces a few new twists to TCP/IP in order to babysit users and "reduce the threat" of worms spreading fast without control. In one such attempt, the devs seem to have limited the number of possible TCP connection attempts per second to 10 (from unlimited in SP1). This argumentative feature can possibly affect server and P2P programs that need to open many outbound connections at the same time.

Rant: The forward thinking of Microsoft developers here is that you can only infect 10 new systems per second via TCP/IP ?!?... If you also consider that each of those infected computers will infect 10 others at the same rate:
second 1: 1+10 computers
second 2: 10+10*10 computers (110 new ones)
second 3: 10+100*10 computers ( 1110 new ones)
second 4: 10+1000*10 computers (11110 new ones)
....
all the way to 10*60 + 10^60 computers in a single minute (that's a number with 60 digits, or it would far exceed Earth's population). Even if we consider that 90% of those computers are unreachable/protected, one would still reach ALL of them within a minute.

In other words, even though it is not going to stop worm spreading, it's going to delay it a few seconds, limit possible network congestion a bit, and limit the use of your PC to 10 connection attempts per second in the process ! I have no problem with the new default setting limiting outbound connection attempts. Still, users should have the option to easily disable or change this setting. I might be going out on a limb here, but ever since the introduction of Windows XP I can't help thinking that I dislike all the bult-in Windows "wisardry" in a sense that the system also limits user access. That irritating trend to ease the mental load on end users is somewhat insulting, considering that Windows is to make the more "intelligent" choice instead of the end user, as well as limit their access to tuning such settings...
End of rant.

With the new implementation, if a P2P or some other network program attempts to connect to 100 sites at once, it would only be able to connect to 10 per second, so it would take it 10 seconds to reach all 100. In addition, even though the setting was registry editable in XP SP1, it is now only possible to edit by changing it directly in the system file tcpip.sys. To make matters worse, that file is in use, so you also need to be in Safe mode in order to edit it.

You only need to worry about the number of connection attempts per second if you have noticed a slowdown in network programs requiring a number of connections opened at once. You can check if you're hitting this limit from the Event Viewer, under System - look for TCP/IP Warnings saying: "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts". Keep in mind this is a cap only on incomplete outbound connect attempts per second, not total connections. Still, running servers and P2P programs can definitely be affected by this new limitation. Use the fix as you see fit.

To change or remove the limit, you can use the following program:

Event ID 4226 Patcher - A patching program for removing or changing the limit imposed on connection attempts in SP2. The patcher has the ability to restore tcpip.sys back to the original... Still, you might want to back up tcpip.sys, use it at your own risk. The author of this patch can be reached @ http://www.lvllord.de/

http://www.lvllord.de/?lang=en&url=downloads

Edit tcpip.sys manually to remove the TCP/IP socket creation limit

Another option, for the more adventurous is to modify your tcpip.sys file manually, using a hex editor. The following instructions refer to the final release of XP SP2, with a tcpip.sys file of exactly 359,040 bytes, CRC-32 is 8042A9FB, and MD5 is 9F4B36614A0FC234525BA224957DE55C. Even thouh there might be multiple tcpip.sys files in your system, make sure to work with the one in c:\windows\system32\drives\ directory.

To remove the tcpip.sys socket creation limit:
- Backup your original tcpip.sys file before editing please, this is somewhat important !
- In your hex editor, go to offset 4F322 hex (or 324386 decimal).
- Change 0a 00 00 00 to 00 00 0a 00

All done ! The above change does not require editing of the CRC in offset 130 hex (thanks for the clever solution Thomas Wolf Tompkins).

Notes:
If any of the data above does not match exactly (crc, file size, md5, or the data at offset 4F322) please double-check what you are doing, or abort completely.

The above information increases the RATE of opening outgoing connections. It has nothing to do with the limit of 10 connections to network shares on a Windows workstation PC for sharing files (a MS imposed limit to force you to upgrade to a server version of the OS). This 10 connections to network shares limit was introduced with NT4 workstation (SP3), and exists in Windows 2k workstation, and Windows XP home/pro/mc. It only applies to authenticated windows services, such as file and print sharing.

Collapse -

Event ID 4226

by danny In reply to Limit on TCP connection a ...

Remove the limit on TCP connection attempts

Windws XP SP2 introduces a few new twists to TCP/IP in order to babysit users and "reduce the threat" of worms spreading fast without control. In one such attempt, the devs seem to have limited the number of possible TCP connection attempts per second to 10 (from unlimited in SP1). This argumentative feature can possibly affect server and P2P programs that need to open many outbound connections at the same time.

Rant: The forward thinking of Microsoft developers here is that you can only infect 10 new systems per second via TCP/IP ?!?... If you also consider that each of those infected computers will infect 10 others at the same rate:
second 1: 1+10 computers
second 2: 10+10*10 computers (110 new ones)
second 3: 10+100*10 computers ( 1110 new ones)
second 4: 10+1000*10 computers (11110 new ones)
....
all the way to 10*60 + 10^60 computers in a single minute (that's a number with 60 digits, or it would far exceed Earth's population). Even if we consider that 90% of those computers are unreachable/protected, one would still reach ALL of them within a minute.

In other words, even though it is not going to stop worm spreading, it's going to delay it a few seconds, limit possible network congestion a bit, and limit the use of your PC to 10 connection attempts per second in the process ! I have no problem with the new default setting limiting outbound connection attempts. Still, users should have the option to easily disable or change this setting. I might be going out on a limb here, but ever since the introduction of Windows XP I can't help thinking that I dislike all the bult-in Windows "wisardry" in a sense that the system also limits user access. That irritating trend to ease the mental load on end users is somewhat insulting, considering that Windows is to make the more "intelligent" choice instead of the end user, as well as limit their access to tuning such settings...
End of rant.

With the new implementation, if a P2P or some other network program attempts to connect to 100 sites at once, it would only be able to connect to 10 per second, so it would take it 10 seconds to reach all 100. In addition, even though the setting was registry editable in XP SP1, it is now only possible to edit by changing it directly in the system file tcpip.sys. To make matters worse, that file is in use, so you also need to be in Safe mode in order to edit it.

You only need to worry about the number of connection attempts per second if you have noticed a slowdown in network programs requiring a number of connections opened at once. You can check if you're hitting this limit from the Event Viewer, under System - look for TCP/IP Warnings saying: "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts". Keep in mind this is a cap only on incomplete outbound connect attempts per second, not total connections. Still, running servers and P2P programs can definitely be affected by this new limitation. Use the fix as you see fit.

To change or remove the limit, you can use the following program:

Event ID 4226 Patcher - A patching program for removing or changing the limit imposed on connection attempts in SP2. The patcher has the ability to restore tcpip.sys back to the original... Still, you might want to back up tcpip.sys, use it at your own risk. The author of this patch can be reached @ http://www.lvllord.de/

http://www.lvllord.de/?lang=en&url=downloads

Edit tcpip.sys manually to remove the TCP/IP socket creation limit

Another option, for the more adventurous is to modify your tcpip.sys file manually, using a hex editor. The following instructions refer to the final release of XP SP2, with a tcpip.sys file of exactly 359,040 bytes, CRC-32 is 8042A9FB, and MD5 is 9F4B36614A0FC234525BA224957DE55C. Even thouh there might be multiple tcpip.sys files in your system, make sure to work with the one in c:\windows\system32\drives\ directory.

To remove the tcpip.sys socket creation limit:
- Backup your original tcpip.sys file before editing please, this is somewhat important !
- In your hex editor, go to offset 4F322 hex (or 324386 decimal).
- Change 0a 00 00 00 to 00 00 0a 00

All done ! The above change does not require editing of the CRC in offset 130 hex (thanks for the clever solution Thomas Wolf Tompkins).

Notes:
If any of the data above does not match exactly (crc, file size, md5, or the data at offset 4F322) please double-check what you are doing, or abort completely.

The above information increases the RATE of opening outgoing connections. It has nothing to do with the limit of 10 connections to network shares on a Windows workstation PC for sharing files (a MS imposed limit to force you to upgrade to a server version of the OS). This 10 connections to network shares limit was introduced with NT4 workstation (SP3), and exists in Windows 2k workstation, and Windows XP home/pro/mc. It only applies to authenticated windows services, such as file and print sharing.

Back to IT Employment Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums