2006-03-22

EventID 4226, Source TCPIP

I recently started seeing Event ID 4226 with source TCPIP (EVENT_TCPIP_TCP_CONNECT_LIMIT_REACHED) in my System event log. The message is "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts." It sounded familiar, so I figured I had seen it before and filed it away as a low priority item to deal with when I got the time.

I tore into it a bit more because it was starting to bother me a bit. I use Avant Browser's "Groups" feature to open 30 or so web pages multiple times a day. This is fine and dandy, but during the process where Avant is trying to load all of the pages, my system's network connectivity would go downhill. So I figured Windows was imposing some artificial limit on the number of outgoing TCPIP connections. Sure enough, "Changes to Functionality in Microsoft Windows XP Service Pack 2 - Part 2: Network Protection Technologies" indicates:

Limited number of simultaneous incomplete outbound TCP connection attempts
Detailed description
The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system’s event log.

Why is this change important? What threats does it help mitigate?
This change helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in a failed connection, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.

What works differently?
This change may cause certain security tools, such as port scanners, to run more slowly.

How do I resolve these issues?
Stop the application that is responsible for the failing connection attempts.

The interesting thing is that there's nothing to change this behavior - you're limited to what appears to be 10 "concurrent TCP connect attempts".

Well, maybe it's more accurate to say that there's no Microsoft-sanctioned way to change this behavior. There _is_ a utility at http://www.lvllord.de/ that patches TCPIP.SYS and allows one to set the limit (default is 50, up from 10). Of course, this annoys Windows File Protection, and the patched TCPIP.SYS can be replaced by an update from Microsoft, but it appears the utility's author keeps the utility up-to-date so that in little or no time one can re-patch TCPIP.SYS if necessary.

It worked for me... :) Thanks, LvlLord!

4 comments:

Anonymous said...

hey i tried to download eventid patcher but i see an error message saying "the requested site was either unavailable or cannot be found. please try again later" what should i do, pls help, e-mail me at razza420@hotmail.com

«/\/\Ø|ö±ò\/»®© said...

I just downloaded and installed the patch, so... "Please try again later" seems like good advice...

Anonymous said...

i downloaded the patch "EvID4226Patch223d-en.zip " from http://www.lvllord.de/?lang=en&url=downloads.....
when i downloaded the english patch, i opened the zip folder, double clicked on the file called "EvID4226Patch.exe" (Application) and a warning diagnostic message came up and said "cannot excecute......" what should i do?
i then downloaded the german patch, it works, but the problem is that i don't red, speak, or understand german... lol...
what should i do?? thanks

«/\/\Ø|ö±ò\/»®© said...

Hi Anonymous,

What version of TCP.SYS are you trying to patch?