Problem description

After you configure Anti-DDoS Pro or Anti-DDoS Premium, it is slow to establish connections.

Cause

This issue is caused by the new Explicit Congestion Notification (ECN) feature introduced in Windows Server 2012.

Solution

  1. Log on to the ECS instance. For more information, see Connect to an ECS instance.
  2. Run Command Prompt as an administrator and disable ECN.
    netsh int tcp set global ecncapability=disabled
    Note ECN is defined in RFC and aims to reduce the number of packet retransmissions. However, some ISPs in mainland China block ECN-marked SYN packets. In this case, the target server cannot receive these SYN packets. Therefore, if the source Windows-based client does not receive responses after sending ECN-marked packets twice, it sends SYN packets without the ECN-related flags. In this case, the connections are established. The first retransmission requires about 3 seconds, and the second retransmission 6 seconds.

Application scope

  • Cloud security