Problem description
After you configure Anti-DDoS Pro or Anti-DDoS Premium, it is slow to establish connections.
Cause
This issue is caused by the new Explicit Congestion Notification (ECN) feature introduced in Windows Server 2012.
Solution
- Log on to the ECS instance. For more information, see Connect to an instance.
- Run Command Prompt as an administrator and disable ECN.
netsh int tcp set global ecncapability=disabled
Note ECN is defined in RFC and aims to reduce the number of packet retransmissions. However, some ISPs in the Chinese mainland block ECN-marked SYN packets. In this case, the target server cannot receive these SYN packets. Therefore, if the source Windows-based client does not receive responses after sending ECN-marked packets twice, it sends SYN packets without the ECN-related flags. In this case, the connections are established. The first retransmission requires about 3 seconds, and the second retransmission 6 seconds.
Application scope
- Cloud security