NT Versions Affected:
3.5, 3.51, 4.0
Problem:
1. Multiple TCP connection requests (SYN) are sent to the target computer with an unreachable source IP address.
2. On receiving the connection request, the target computer allocates resources to handle and track the new connection, then responds with a "SYN-ACK" to the unreachable address.
3. A default-configured Windows NT 3.5x or 4.0 computer will retransmit the SYN-ACK 5 times, at 3, 6, 12, 24, and 48 seconds. After the last retransmission, 96 seconds are allowed to pass before the computer gives up on receiving a response, and deallocates the resources that were set aside earlier for the connection. The total elapsed time that resources are in use is 189 seconds.
Errors experienced are:
"The connection has been reset by the remote host."
Other evidence:
C:/> netstat -n -p tcp
Active Connections
| Proto TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP |
Local Address 127.0.0.1:1026 127.0.0.1:1028 210.57.8.90:2100 210.57.8.90:2100 210.57.8.90:2100 210.57.8.90:2100 210.57.8.90:2100 210.57.8.90:2100 210.57.8.90:2100 210.57.8.90:2100 210.57.8.90:2100 210.57.8.90:2100 210.57.8.90:2100 |
Foreign Address 127.0.0.1:1026 127.0.0.1:1028 10.57.14.154:1256 10.57.14.154:1257 10.57.14.154:1258 10.57.14.154:1259 10.57.14.154:1260 10.57.14.154:1261 10.57.14.154:1262 10.57.14.154:1263 10.57.14.154:1264 10.57.14.154:1265 10.57.14.154:1266 |
State ESTABLISHED ESTABLISHED SYN_RECEIVED SYN_RECEIVED SYN_RECEIVED SYN_RECEIVED SYN_RECEIVED SYN_RECEIVED SYN_RECEIVED SYN_RECEIVED SYN_RECEIVED SYN_RECEIVED SYN_RECEIVED |
Verification:
http://www.microsoft.com/kb/articles/q142/6/41.htm