the microsoft-ds tcp retransmission phantom

Unanswered Question
Sep 7th, 2007

I need help figuring out a problem that is plaguing our network. I'll try to be as brief as possible. Please see the attached file for our setup.

Basically, I can pass TCP traffic just fine using iperf, I get about 67Mbps throughput. But as soon as I try a file transfer from the server, my protocol analyzer shows many TCP Retransmissions and TCP Slow ACKs. My ping time is <1ms both directions. I've tried everything I know, so maybe someone has a good idea to refresh me. I'll provide configs if needed. Thank you!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sadbulali Thu, 09/13/2007 - 11:05

Microsoft Windows "Workstation Service (wkssvc.dll)" contains a flaw that is vulnerable to a buffer overflow. When successfully exploited, this vulnerability allows remote code execution with SYSTEM privileges. Successful exploitation of this vulnerability could allow an attacker complete control of an affected system or create a denial-of-service (DoS) condition.

This vulnerability can be exploited remotely without authentication or user interaction. However, remote exploitation without authentication is limited to systems running Windows 2000 Service Pack 4. The attack vector is through TCP ports 139 (netbios-ssn) and 445 (microsoft-ds). This vulnerability is designated by CVE ID 2006-4691.

You might start by checking each of the ports involved in the path for errors, drops, etc. Clearing the counters on each before your next test might help see things.

Do you get the same retransmission errors when running iperf?

What about if you test between two different PCs instead of just the PC/Server pair in question? Does the problem occur there as well?

aaronsj Tue, 02/26/2008 - 07:17

Our problem was due to a secondary ip address configured on the router interface. Basically, there were two networks on one 100Mbps interface which was causing it to overload and drop packets under too full a load. I moved our users to the same network as the servers and now everything gets switched locally instead of having to go talk through the router. We are going to rework the network so this is temporary.


This Discussion