[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Event Log errors in Windows

To: or-talk@xxxxxxxxxxxxx
Subject: Event Log errors in Windows
From: alexyz@xxxxxxxxxx
Date: Sat, 16 Apr 2005 02:05:29 -0300
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Sat, 16 Apr 2005 01:05:57 -0400
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

Hi,

I´m not sure this is a bug but I will report it anyhow. Since running Tor
as server I had been getting lots of "Event 4226" entries in the Event Log
Viewer of Windows XP SP2. Five per day to be exact over 2 straight days.
After some research, it comes out that event 4226 signals a TCP/IP stack
limit to the rate of opening half-opened connections. The following quotes
should be more meaningful to you network specialists.

"SP2 has limited the number of possible TCP connection attempts per second
to 10"

[the limit] "...only applies to incomplete outbound connections, where the
client has sent a SYN packet but hasn't yet received a SYN-ACK packet from
the server. This is the first thing the server's TCP stack does, before it
even informs the server application that a connection is being made (i.e.
accept() doesn't return yet). The reason for the limit is simple: to
prevent simple SYN-flooding attacks."

There was no limit in WinXP SP1 but Microsoft changed this in SP2
apparently to prevent worms from spreading more quickly. Here is another
quote I found.

"The idea of MS is not bad to reduce the spreading of worms and other
harmful programs. But 10 half-open connections [per sec] is a little bit
too less. With a higher (e.G. 25-100) number of waiting for connection
connections the benefit would be almost the same, but less normal users
would feel disturbed by this."

The noticeable effect of this problem is that browsing becomes (very)
sluggish and I believe Tor connections in the background are also
suffering as connection attempts have to be queued to conform to the
limit. So I decided to do something about it and researched some more. In
SP1 the limit was changeable in the registry. In SP2 it can not be
changed. I found that there are some unofficial patches going around the
net that simply increases this number to 50. The patch is done to the
TCPIP.SYS file. (It can be obtained here=>
http://www.lvllord.de/?lang=en&url=downloads#4226patch)

After installing the patch, my browsing is restored to normal and there
are no more event 4226 entries. BUT, I now get event 7023 in the log (4
per day):

The service Tor Win32 Service terminated with an error:
%%4294967295

I couldn´t find info on event 7023, and I doubt I´m going to find event
7023 with an error message that specifically mentions Tor.

One last thing, I started running version 0.0.9.8 and then switched to
0.1.0.3-rc. The event 4226 entries occurred with both versions.

Follow-Ups:
- Re: Event Log errors in Windows
  - From: alexyz

Prev by Author: Re: hack attempts of Tor?
Next by Author: Publishing node IPs
Previous by thread: Re: TOR dying
Next by thread: Re: Event Log errors in Windows
Index(es):
- Author
- Thread