How To Remove Windows TCP IP Limits connections

gazecummingΔίκτυα και Επικοινωνίες

26 Οκτ 2013 (πριν από 3 χρόνια και 5 μήνες)

56 εμφανίσεις


First draft document
-
Nikolaos Katsampekis





Applications

Team


Nikolaos Katsampekis






How t
o Remove Windows XP SP2 and S
P3 TCP IP
Limits connections






Contents



1


Reason

2


Windows XP SP 2


3
-

Windows XP SP 3

4


Windows 7





First draft document
-
Nikolaos Katsampekis

1
-

Reason



I
n a C&M system we are running Roll Prox
y with many connections and
multiple clients at the same time e.g. RollCall Control Panel, RollMechanic,
RollSNMP, LogServer, RollPod Designer and MCM together with any other
applications they take a large number of TCP IP connections


Windows
have intro
duced a limit in order to baby

sit users and "reduce the threat" of
worms spreading fast without control. In one such attempt, the devs seem to
have limited the number of possible TCP connection attempts per second to
10 (from unlimited in SP1).



This arg
umentative feature can possibly affect
server

and
P2P

programs that
need to

open many outbound connections at the same time.


The forward thinking of Microsoft developers here is

that you can only infect
10

new systems per second via
TCP/IP

?!?... If you

also consider that each of
those infected computers will infect

10 others

at the same rate:

second 1:


1+10 computers

second 2: 10+10*10 computers (110 new ones)

second 3: 10+100*10

computers (

1110 new ones)

second 4: 10+1000*10 computers (11110 new ones
)

....

all the way to
10*60

+

10^60 computers in a single minute

(that's

a number
with 60 digits, or it would far exceed

Earth's population). Even if we consider
that 90% of those computers are unreachable/protected, one would still
reach

ALL of them

with
in a minute.

In other words, even though it is not going to stop
worm

spreading, it's going
to delay it

a few seconds, limit possible
network

congestion a bit, and

limit the
use of your PC to 10 connection attempts per second in the proc
ess.


With the new implementation, if a
P2P

or some other network program
attempts to connect to 100 sites at once, it would only be able to connect to
10 per second, so it would take it 10 seconds to reach all 100.


In addition, even though the setting was registry editable i
n XP SP1, it is now
only possible to edit by changing it directly in the system file tcpip.sys.


To make matters worse, that file is in use, so you also need to be in Safe
mode in order to edit it.

You only need to worry about the number of connection att
empts per second
if you have noticed a slowdown in network programs requiring a number of
connections opened at once.


You can check if you're hitting this limit from the Event Viewer, under System
-

look for
TCP/IP

Warnings saying: "
TCP/IP

has reached the
security

limit
imposed on the number of concurrent TCP connect attempts".
Keep in mind
this is a cap only on

incomplete outbound connect attempts

per second, not
total connections.




First draft document
-
Nikolaos Katsampekis

Still, running servers and
P2P

programs can

definitely be affected by this new
limitation.



For our applications to work we need to remove those limits bellow are few
guidelines on how to do it.


Remove the limit on

TCP

connection attempts for Win
dows XP
SP2


To change or remove the limit, you can

use

the following program:



Windws XP SP2



Event ID 4226
Patcher

-

A patching program for removing or changing the
limit

imposed

on

connection attempts in SP2.

The patcher has the ability to
restore tcpip.sys back to the original... Still, you might want to back up
tcpip.sys, use it at your own risk.

The author

of this patch can be reached @
http://www.lvllord.de/



Edit tcpip.sys manually to remove the
TCP/IP

socket creation limit

Anot
her option, for the more adventurous is to modify

your tcpip.sys file
manually, using a hex editor.

The following instructions refer to the final
release of XP SP2, with a tcpip.sys file of exactly 359,040 bytes, CRC
-
32 is
8042A9FB, and MD5 is 9F4B36614A0F
C234525BA224957DE55C. Even
thouh there might be multiple tcpip.sys files in your system, make sure to work
with the one in c:
\
windows
\
system32
\
drives
\

directory.


To remove the tcpip.sys socket creation limit:

-

Backup your original tcpip.sys file before e
diting please, this is somewhat
important !

-

In your hex editor, go to


offset
4F322

hex (or 324386 decimal).

-

Change

0a 00 00 00


to

00 00 0a 00

All done !


The above change does not require editing of the
CRC

in offset
130 hex (thanks for the clever solution Thomas Wolf Tompkins).

Notes:

If any of the data above does not match exactly (
crc
,
file size
, md5, or the data
at offset 4F322) please double
-
check what you are doing, or abort completely.

The above information increases the RATE of opening

outgoing
c
onnections.

It has nothing to do with the limit of 10 connections to
network

shares on a Windows workstation PC for sharing files (a MS imposed
limit to force you to upgrade to a server version of the OS).

This 10
connections to network shares

limit was in
troduced with NT4 workstation
(SP3), and exists in Windows 2k workstation, and Windows XP home/pro/mc.
It only applies to authenticated windows services, such as file and print
sharing.


Remove the limit on

TCP

connection attempts for Windows XP
SP3


First draft document
-
Nikolaos Katsampekis

By inc
reasing the number of TCP/IP connections allowed at one time
.

Download

Patch From
Here




Remove the limit on

TCP

connection attempts for Windows
VISTA


Due to the enhanced security in Vista, it is a bit more complicated to increase
the TCP concurrent half
-
open connections limit. It requires downloading a
patch
ed tcpip.sys, changing a registry parameter and disabling
driver

signing
in x64 editions (potentially after every reboot). Note that subsequent

Windows
updates and Service Packs may override tcpip.sys with a newer version as
well.


The required steps are outlined below:

1. Note your current tcpip.sys version
. To check your tcpip.sys version,
navigate to C:
\
Windows
\
system32
\
drivers
\

, right
-
click
on tcpip.sys and
choose "Properties"
-

the version information will be listed in the "Details"
pane.


2. Download a patched tcpip.sys file

for your particular tcpip.sys

and Vista
version.


You can download patched versions of tcpip.sys from
-
here
-
. Note
that 32
-
bit and 64
-
bit versions of Vista use different tcpip.sys files. Files are
listed as tcpipXX
-
YYYYYY.sys, where XX is the Vista variant (32 or 64
-
bit),
and YYYYYY is the tcpip.sys

version.


3. Open command prompt
, and

execute the following commands exactly
(administrator account, and
elevated command prompt

recommended):

takeown /f %Systemroot%
\
system32
\
driv
ers
\
tcpip.sys

icacls %Systemroot%
\
system32
\
drivers
\
tcpip.sys /grant
"%username%":f


4. Disable driver signing integrity checks

for 64
-
bit Windows Vista versions
only. You can do this using the
ReadyDriver Plus v 1.1

software, or pressing
F8 at
boot

time. More information on disabling driver signing integrity checks
in Vista is available
-
here
-
.


5. Backup tcpip.sys

by copying it to another location/file. You can do it in
Windows Explorer, or running the following in command prompt:

copy %Systemroot%
\
system32
\
drivers
\
tcpip
.sys
%Systemroot%
\
system32
\
drivers
\
tcpip.original


6. Replace

the original tcpip.sys

in C:
\
Windows
\
system32
\
drivers
\


with the
patched tcpip.sys

for your correct version of Windows, downloadable from our
website
-
here
-
. You'd have to be logged in as administrator, if it fails you may
want to try restarting in safe mode (F8 on system startup).

7. Set the desired new limit for TCP half
-
open connections

in the
Windows Registry. Open the registry edit
or by clicking the Windows button >

First draft document
-
Nikolaos Katsampekis

Run > type:
regedit

. You'd need to add a new DWORD value under

the
following

key:

HKEY_LOCAL_MACHINE
\
SYSTEM
\
CurrentControlSet
\
Services
\
Tcpip
\
Param
eters

TcpNumConnections=500

(DWORD value, not present by default.
Recommended value is between 100 and 500).

Alternatively, you can download the
sg_vista_tcpip_limit_
patch

to apply the
registry change above automatically.



Update in

Vista Service Pack 2

According to Microsoft, Vista SP2

completely removes the limit of 2
-
25 half
-
open TCP connections that existed in previous versions for application
compatability rea
sons.

We're not aware of any documentation introducing new registry keys
to

change the TCP half
-
open connection limit. If this
works

as intende
d, there
should be no need to
patch

tcpip.sys, and users should no longer see Event
ID 4226.


Reference: MS Technet
http://social.technet.microsoft.com/Forums/en
-
US/itprovistasp/thread/2afc725f
-
44fd
-
4ae1
-
9eb8
-
f0c3a0f552bc/


Info Bellow


Windows Vista introduces a number of new features to the
TCP/IP

stack, including
CTCP
,
and TCP Window Auto
-
Tuning. This new implementation works much better by default than
previous W
indows versions with
broadband

internet connections, and is able to adjust the
RWIN

value on the fly
, depending on the
BDP

(bandwidth
-
delay product). This, however,
introduces some problems with older
routers

and restricts the user from tweaking some of the
TCP/IP

parameters. Still, there is always some room for improvement, and this
article

explains the known

tweakable
TCP/IP

parameters.

To enter some of the commands below, you will need to run "elevated" command prompt.

To
do so, click the Start icon

> Run > type: cmd

, then

click CTRL+SHIFT+EN
TER. Alternatively,
you can navigate to Start > All Programs > Accessories > right
-
click Command Prompt and
choose "Run as Administrator".



Check the
TCP/IP

state

To check the cu
rrent status of the Vista
TCP/IP

tweakable parameters, in elevated command
prompt type the following command:

netsh int tcp show global

You will be presented with something like t
he following:


The settings, as well as their default and recommended state

are explained below. The two
most important tweakable pa
rameters are "Auto
-
Tuning Level" and "Congestion Control
Provider".


First draft document
-
Nikolaos Katsampekis

When checking the TCP state with the "netsh int tcp show global" command, it is also
possible to

see the following message below all those parameters:

** The above autotuninglevel setting
is the result of Windows Scaling heuristics overriding any
local/policy configuration on at least one profile.

It is displayed when the "Receive Window Auto
-
Tuning Level"

is not explicitly set, or if the
system deemed it necessary to make a change because
of user prompted "repairing" of your
network connection,

for example.



Disable Windows Scaling heuristics

Windows Vista/7 has the ability to automatically change its own TCP Window auto
-
tuning
behavior to a more conservative state regardless of

any user s
ettings. It is possible for
Windows to override the autotuninlevel

even after an user sets their custom TCP auto
-
tuning
level. When that behavior occurs, the

"netsh int tcp show global" command displays the
following message:

** The above autotuninglevel s
etting is the result of Windows Scaling heuristics

overriding any local/policy configuration on at least one profile.

To prevent that behavior and enforce any user
-
set TCP Window auto
-
tunning level, you
should execute the following command:

netsh int tcp s
et heuristics disabled

possible settings are: disabled,enabled,default (sets to the Windows default state)

recommended: disabled (to retain user
-
set auto
-
tuning level)

Note this should be executed in elevated command prompt (with admin priviledges) before
setting the autotuninlevel in next section. If the command is accepted by the OS you will see
an "Ok." on a new line.

The corresponding Registry value (not necessary to edit if setting via netsh) is located in:

HKEY_LOCAL_MACHINE
\
SYSTEM
\
CurrentControlSet
\
s
ervices
\
Tcpip
\
Parameters

EnableWsd=0


(default: 1, recommended: 0)



TCP Auto
-
Tuning

To turn off the default

RWIN

auto tuning behavior, (in elevated command prompt) type:

netsh int t
cp set global autotuninglevel=disabled

The default auto
-
tuning level is "normal", and the possible settings for the above command
are:

disabled
:

uses a fixed value for

the tcp receive window. Limits it to 64KB (limited at 65535).

highlyrestricted
: allows t
he receive window to grow beyond its default value,

very
conservatively

restricted
: somewhat restricted growth of the tcp receive window beyond its default value

normal
: default value, allows the receive window to grow to accommodate most conditions

experi
mental
: allows the receive window to grow to accommodate extreme scenarios (not
recommended, it can degrade
performance

in common scenarios, only intended for resear
ch
purposes. It enables
RWIN

values of over 16 MB)

Our recommendation: normal


(unless you're experiencing problems).

If you're experiencing problems with your

NAT

router

or
SPI

firewall
, try the "restricted",
"highlyrestricted", or even "disabled" state.

Notes:

-

Reportedly, some older residential
NAT

routers with a
SPI

firewall

may have problems with
enabled tcp auto
-
tuning in it's "normal" state, resulting in slow speeds
,
packet

loss,

reduced
network performance in general.

-

auto
-
tuning

also causes problems with really old routers

that do not support TCP
Windows

scaling. See
MSKB 935400


-

netsh set commands take effect immediately after executing, there is no need to reboot.

-

sometimes when using "normal" mode and long lastin
g connections (
p2p

software

/
torrents), tcp windows can get very large and consume too much r
esources, if you're
experiencing problems try a more conservative (restricted)

setting.

If you're experiencing problems with Auto
-
Tuning, see also:

MS KB 835400

-

email issues

MS KB 934430

-

network connectivity behind firewall problems

MS KB 940646

-

3G WWAN throughput issues

MS KB 929868

-

web browsing issues

MS KB 932170

-

slow network file transfer


First draft document
-
Nikolaos Katsampekis



Compound TCP
-

Improve
throughput

Add
-
On Congestion Control Provider

The traditional slow
-
start and congestion avoidance algorithms in TCP help avoid network
congestion by gradually increasing the TCP window at the beginning of transfers until the

TCP Receive Window boundary is reached, or
packet

loss occurs. For
broadband

internet
connectio
ns that combine high TCP Window with higher
latency

(high
BDP
), these algorithms
do not increase the TCP w
indows fast enough

to fully utilize the
bandwidth

of the connection.

Compound TCP (
CTCP
) is a newer
method, available in Vista and Server 2008 (there is also
a hotfix available for XP/2003).
CTCP

increases the TCP send window more aggressively for
broadband

connections (with large
RWIN

and
BDP
).

CTCP

attempts to maximize
throughput

by monitoring delay variations and
packet

loss. It also ensures that its behavior does not
impact other TCP connections negatively.

By default, Vista and Windows 7

have
CTCP

turned o
ff, it is only on by default under Server
2008. Turning this option on can significantly increase
throughput
.

To enable
CTCP
, in elevated command prompt type:

netsh int tcp set global congestionprovider=ctcp

To disable
CTCP
:

netsh int tcp set global congestionprovider=none

Possibl
e options are:


ctcp
, none, default (restores the system default value).

Recommended setting:
ctcp

It is bette
r to use this newer generation
CTCP

congestion control algorithm for most
broadband

connections, we
highly recommend it being turned on.




TcpTimedWaitDelay (port allocation)


Short lived (ephemeral)
TCP/IP

ports above 1024 are allocated as needed by
the OS. The default Vista

v
alues

have improved from previous Windows
versions, and are usually sufficient under normal load. However, in some
instances under heavy load it it may be necessary to adjust the settings below
to tweak the availability of user ports requested by an applic
ation.

If the default limits are exceeded under heavy loads, the following error may
be observed:
"address in use: connect exception"
.


By default under Vista
(when the values are not presend in the registry), the OS can allocate up to
16384 ephemeral port
s above port

1024, and the OS waits for 120 seconds
before reclaiming ports after an application closes the TCP connection. This is
a considerable improvement over older Windows versions. However, if
necessary, the following registry values can be added/ed
ited:

HKEY_LOCAL_MACHINE
\
SYSTEM
\
CurrentControlSet
\
Services
\
Tcpip
\
Param
eters

MaxUserPort=65535

(DWORD, not in the registry by default.
Recommended:

leave at default,

or use a number above 16384 up to

65535
decimal as necessary)
-


maximum number of ports to

use. 1024 is
automatically subtracted from entered value to allow for reserved ports under
1024.


TcpTimedWaitDelay=30

(DWORD, not present or 0xffffffff in registry by
default. Recommended: 30 decimal, denoting 30 seconds)
-

time to wait
before reclaiming

ports, in seconds. Default time before reclaiming ports,
if

value is at 0xffffffff or not present

in the registry is

120 seconds. Just
reducing the delay is often sufficient without changing MaxUserPort, as it
allows for reusing ports more efficiently.

Ep
hemeral ports can be checked and changed using netsh as well.


First draft document
-
Nikolaos Katsampekis

To query the current values, in

command prompt, type:

netsh int
ipv4

show dynamicportrange tcp

(for
UDP
, use the same command,
replacing only "tcp" with "
udp
" at the end)

To set both the starting, and max user

port

using netsh, in elev
ated command
prompt run:

netsh int
ipv4

set dynamicportrange protocol=tcp start=1025 num=64511
(start=NNN denoting the starting port, and num=NNN denoting the number of
ports)

Notes:

By

default,

dynamic ports are allocated between ports 49152 and 65535 (for a
total of 16384 ephemeral ports).

Using netsh allows to set both the starting port and port range. Editing the
Registry allows for setting the port range, and the starting port is

fixed at 1025.
Deleting the MaxUserPort registry entry (or setting it to a value outside the
allowed range) causes the OS to revert to using the default values.

Some system processes can install

port filters to block certain port ranges. If
ephemeral port
s run into these filtered port ranges,
TCP/IP

applications will be
unable to bind to any ports.