TCP/IP has reached the security limit imposed.

  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

Event ID: 4226
"TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts."

I'm getting this error in my System Event log, and my LAN connection cuts out whenever it happens. I have to disable and enable my connection to get it working again.

I've looked up information from various places on net, and pretty much every place says the same thing:
Quote:
This message is caused by a new security function of Windows XP Service Pack 2 which was included in order to avoid the quick and rampant distribution of worms. XP SP2 doesn't allow any program to open more than 10 outgoing, half-open, (still) unconnected TCP connections.

I've seen a few methods for increasing the maximum outgoing connections, among others. I'm somewhat hesitant to tweak the system when I'd really like to figure out what's causing this in the first place. I've had this system for almost 4 years, and this only started happening a few days ago.

I've scanned for worms/viruses and turned up nothing. Has anyone else here had this problem?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Alkatr0z
  • Mastermind
  • Mastermind
  • Alkatr0z
  • Posts: 1883
  • Loc: Adelaide, Australia

Post 3+ Months Ago

Are you running anything like bit torrent?
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

No. The machine is used primarily for development, so I do have a WAMP server running. I've never had problems with that in the past, and since it doesn't create outgoing connections to anything, I don't see it as a likely culprit.
  • Alkatr0z
  • Mastermind
  • Mastermind
  • Alkatr0z
  • Posts: 1883
  • Loc: Adelaide, Australia

Post 3+ Months Ago

Do you have a firewall installed that you can check the event log of?
If not you can type in netstat into a command prompt window to see the current connections.
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

No firewall.

Netstat... I didn't even think of that. I'll check the connections the next time I get the error and post back here. Thanks.
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

OK, got back from work today and the network cut out about 10 minutes after using the computer. Here's the output from netstat:
Code: [ Select ]
C:\>netstat

Active Connections

 Proto Local Address     Foreign Address    State
 TCP  sporkintel:1034    192.168.0.60:microsoft-ds ESTABLISHED
 TCP  sporkintel:1061    bittraffic.com:6667  ESTABLISHED
 TCP  sporkintel:1354    ag-in-f19.google.com:http ESTABLISHED
 TCP  sporkintel:1375    5-137-156-250.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
 TCP  sporkintel:1376    75-137-157-89.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
 TCP  sporkintel:1378    75-137-157-91.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
 TCP  sporkintel:1379    75-137-157-189.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
 TCP  sporkintel:1380    75-137-157-190.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
 TCP  sporkintel:1381    75-137-157-191.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
 TCP  sporkintel:1382    75-137-157-192.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
 TCP  sporkintel:1383    75-137-157-193.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
 TCP  sporkintel:1384    75-137-157-194.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
 TCP  sporkintel:1385    75-137-157-195.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
 TCP  sporkintel:24800    192.168.0.60:52013   ESTABLISHED

C:\>
  1. C:\>netstat
  2. Active Connections
  3.  Proto Local Address     Foreign Address    State
  4.  TCP  sporkintel:1034    192.168.0.60:microsoft-ds ESTABLISHED
  5.  TCP  sporkintel:1061    bittraffic.com:6667  ESTABLISHED
  6.  TCP  sporkintel:1354    ag-in-f19.google.com:http ESTABLISHED
  7.  TCP  sporkintel:1375    5-137-156-250.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
  8.  TCP  sporkintel:1376    75-137-157-89.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
  9.  TCP  sporkintel:1378    75-137-157-91.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
  10.  TCP  sporkintel:1379    75-137-157-189.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
  11.  TCP  sporkintel:1380    75-137-157-190.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
  12.  TCP  sporkintel:1381    75-137-157-191.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
  13.  TCP  sporkintel:1382    75-137-157-192.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
  14.  TCP  sporkintel:1383    75-137-157-193.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
  15.  TCP  sporkintel:1384    75-137-157-194.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
  16.  TCP  sporkintel:1385    75-137-157-195.dhcp.gwnt.ga.charter.com:5900 SYN_SENT
  17.  TCP  sporkintel:24800    192.168.0.60:52013   ESTABLISHED
  18. C:\>

I disabled and re-enabled the network connection, ran netstat again, and got this:
Code: [ Select ]
C:\>netstat

Active Connections

 Proto Local Address     Foreign Address    State

 TCP  sporkintel:4647    75.138.167.112:5900  SYN_SENT
 TCP  sporkintel:4648    75.138.167.113:5900  SYN_SENT
 TCP  sporkintel:4649    75.138.167.213:5900  SYN_SENT
 TCP  sporkintel:4651    75.138.167.214:5900  SYN_SENT
 TCP  sporkintel:4652    75.138.167.215:5900  SYN_SENT
 TCP  sporkintel:4653    75.138.167.216:5900  SYN_SENT
 TCP  sporkintel:4654    75.138.167.217:5900  SYN_SENT
 TCP  sporkintel:4655    75.138.167.218:5900  SYN_SENT
 TCP  sporkintel:4656    75.138.167.219:5900  SYN_SENT
 TCP  sporkintel:4660    75.138.167.220:5900  SYN_SENT

C:\>
  1. C:\>netstat
  2. Active Connections
  3.  Proto Local Address     Foreign Address    State
  4.  TCP  sporkintel:4647    75.138.167.112:5900  SYN_SENT
  5.  TCP  sporkintel:4648    75.138.167.113:5900  SYN_SENT
  6.  TCP  sporkintel:4649    75.138.167.213:5900  SYN_SENT
  7.  TCP  sporkintel:4651    75.138.167.214:5900  SYN_SENT
  8.  TCP  sporkintel:4652    75.138.167.215:5900  SYN_SENT
  9.  TCP  sporkintel:4653    75.138.167.216:5900  SYN_SENT
  10.  TCP  sporkintel:4654    75.138.167.217:5900  SYN_SENT
  11.  TCP  sporkintel:4655    75.138.167.218:5900  SYN_SENT
  12.  TCP  sporkintel:4656    75.138.167.219:5900  SYN_SENT
  13.  TCP  sporkintel:4660    75.138.167.220:5900  SYN_SENT
  14. C:\>

I guess this explains the error regarding the 10 maximum outgoing connections... Something doesn't smell right here.
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

Alright, I think I've found the culprit. I ended up using a nice little tool called CurrPorts. It shows all the current TCP and UDP connections on your machine, along with what process created them.

I thought I had uninstalled mIRC a LONG time ago, but apparently parts of it are still hanging around.
Code: [ Select ]
C:\WINDOWS\Mircosoft\Drivers\Service.exe

This was the process creating all the connections. Can someone explain what this is/if I should keep it around?
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

Sorry for the back-to-back-to-back posts, I'm just posting my solution here for future reference in case anyone else runs into this problem

Turns out that Service.exe did belong to some alienated installation of mIRC. Running the following command took care of it:
Code: [ Select ]
C:\>C:\windows\microsoft\drivers\service.exe -uninstall

After that, I went through and removed any mIRC keys from the registry.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

Quote:
I ended up using a nice little tool called CurrPorts. It shows all the current TCP and UDP connections on your machine, along with what process created them.


Doesn't "netstat -a -b" do the same thing ? :scratchhead:
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

joebert wrote:
Doesn't "netstat -a -b" do the same thing ? :scratchhead:

Only if you knew that it did.. which in my case, I didn't. :oops:
  • Alkatr0z
  • Mastermind
  • Mastermind
  • Alkatr0z
  • Posts: 1883
  • Loc: Adelaide, Australia

Post 3+ Months Ago

Hmm Could you please tell me where you found out that service.exe is a part of mIRC?
I'm rather suspicious for a few reasons..
Unless mIRC has changed alot since the last version I downloaded its always been a very compact package that sticks to its own directory rather than spreading out as you indicate and I started using it in 1994 and the last version I downloaded was in 2006.

Secondly in my experience there has never been a part of mIRC which connects to a server automatically(except mirc32.exe which can be configured to do so). In addition there is only one mIRC server showing in that list which is this one: TCP sporkintel:1061 bittraffic.com:6667 ESTABLISHED

Thirdly That is a established connection and so not part of the 10 half open connection limit(SYN). As you pointed out those SYN ones are the problem. They are all connecting to the port for VNC Server.

I suspect that that service.exe was actually part of a botnet or something similar. What I see your system doing there is sequentially scanning a IP range for VNC Servers, you see it in the first netstat you ran and also in the second. 75-137-157-89.dhcp.gwnt.ga.charter.com. The numbers separated by - correspond to the IP address of the system. The mIRC server you were connected to was most likely the control connection.

Which of course also makes me wonder why -uninstall worked on it, I presume you found that on the same page that detailed it as part of mIRC :)

Post Information

  • Total Posts in this topic: 11 posts
  • Users browsing this forum: lenga_92 and 60 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.