TCP connections to your origin server may take approximately 9 seconds longer than expected after you configure Anti-DDoS Pro or Anti-DDoS Premium. This delay is caused by Explicit Congestion Notification (ECN), a feature introduced in Windows Server 2012.
Why this happens
ECN is defined in RFC 3168 and reduces packet retransmissions. However, some ISPs in the Chinese mainland block ECN-marked SYN packets, which prevents the target server from receiving them.
The Windows TCP stack handles the blocked packets as follows:
-
The source Windows-based client sends an ECN-marked SYN packet.
-
The packet is blocked by the ISP. The client waits approximately 3 seconds and retransmits.
-
The retransmitted ECN-marked packet is also blocked. The client waits approximately 6 seconds.
-
After two failed attempts, the client sends a SYN packet without ECN-related flags. This packet reaches the server and the connection is established.
The total delay before a successful connection is approximately 9 seconds (3 + 6).
Confirm the issue
Before you apply the fix, verify that ECN is enabled on your Windows Server instance.
-
Log on to the ECS instance. For more information, see Connect to an instance.
-
Run Command Prompt as an administrator.
-
Run the following command to check the current ECN setting:
netsh int tcp show global -
In the output, find the ECN Capability row. If the value is enabled, ECN is causing the slow connection establishment.
Solution
-
Log on to the ECS instance. For more information, see Connect to an instance.
-
Run Command Prompt as an administrator.
-
Run the following command to disable ECN:
Verify the fix
Run the following command to confirm that ECN is disabled:
netsh int tcp show globalThe ECN Capability row should display disabled.
Application scope
-
Cloud security