Michael Teper

I blogged yesterday about the affect of the WindowsXP service pack 2 on filesharing applications. Apparently, there is more fallout as reported by Dana Epp, Ian Griffiths, and Dominick Baier. I understand that the motivation for these changes was to make the WindowsXP platform less appealing to viruses and hacker tools, and I also understand that the reason there aren't easy overrides for the new limits is so that the aforementioned malware can't just flip the functionality back on. But, at the same time, the changes are detrimental to some legitimate applications. Microsoft could just cede those users to OSX or Linux, but why not bring them back into the fold? We have WindowsXP Home and Professional, perhaps its time to bring out WindowsXP Power User edition? Concerned corporations can constrain installations through policy, unconcerned end users won't pay for it, and interested parties will get their functionality back. Redmond, are you listening?

And now, for something completely off-topic -- a well documented tryst between John F. Kerry and Natasha Kinstridge (see commentary here).

One of the security improvements in WindowsXP sp2 is a limit placed on the number of simultaneous incomplete outbound TCP connection attempts. This limit happens to be 10 connection per second, which just happens to adversely affect a number of p2p applications. To find out whether you are affected by this, check your System Event Log for Tcpip warnings with the event number 4226.

Its won't be a surprise to anyone that the community came up with a “fix”, a patch actually, that changes some bits in the tcpip.sys file. This is not something I would condone, so I won't link to it. My question is, does anyone know of a non-invasive way to override this limit? (perhaps through registry?). Could someone comment on the appropriate way for a p2p application to get around this new limit?

Here's the relevant excerpt from a TechNet document on sp2 changes:

Limited number of simultaneous incomplete outbound TCP connection attempts

Detailed description

The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system’s event log.

Why is this change important? What threats does it help mitigate?

This change helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in a failed connection, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.

What works differently?

This change may cause certain security tools, such as port scanners, to run more slowly.

How do I resolve these issues?

Stop the application that is responsible for the failing connection attempts.

My sister emailed me about a song she liked that was recommended by her Tamil friend. Apparently this is a tune for a popular Bollywood movie and Google revealed a number of web sites that would let me play it. Unfortunately, almost all of them offered just one format: RealAudio. Does anyone know why it is so popular with this audience? Personally, I refuse to install another Real product. Their installations are extremely invasive (all sorts of crap is installed without asking).

In any case, here's a WindowsMedia version for your non-discriminating music tastes: Thoodhu Varuma, from the movie Kaakha Kaahka.