Setting Connection Timeouts to Save Resources
Applies To: Windows Server 2003, Windows Server 2003 with SP1
Connection timeouts help reduce the amount of memory resources that are consumed by idle connections. Time-out settings also allow you to specify how long server resources are allocated to specific tasks or clients. When you enable connection timeouts, IIS 6.0 enforces the following types of connection timeouts at the connection level:
A connection timeout, in which the client has sent data to the server, but the client is now idle. Use the ConnectionTimeout metabase property to set a connection timeout limit for the WWW, FTP, Network News Transfer Protocol (NNTP), and SMTP services.
A request timeout, which prevents clients from issuing unreasonably slow requests to the server (for example, 1 bit per second). Use the HeaderWaitTimeout metabase property to set a request timeout for the WWW service.
A response timeout, which prevents malicious or malfunctioning clients from consuming resources by holding a connection open with minimal data. Use the MinFileBytesPerSec metabase property to set a response timeout for the WWW service.
Monitoring with Counters to Evaluate Connection Limits
In IIS 6.0, the default connection timeout settings are more restrictive than in earlier versions of IIS, which helps prevent denial of service attacks on the server. To determine whether you can improve performance by changing a default connection timeout setting or by adding an optional setting, begin by obtaining a baseline of how your server performs with the current connection limits. For example, use System Monitor to log the Current Connections, Maximum Connections, and Total Connection Attempts counters on the Web Service and FTP Service objects. Continue logging until you have a good sense of the normal range; typically, logging can take several days to a week or more and must be repeated at regular intervals.
After obtaining baseline performance data for the default configuration, make incremental changes to the connection timeout settings, and then collect additional performance data by using these same counters. Compare the results to determine if changing the connection limits improves performance, keeping in mind that more aggressive limits can increase protection against malicious attacks.
Setting Connection Timeouts by Using IIS Manager
You can set global connection timeouts for the WWW or FTP service, or for individual Web sites and FTP sites. You can also set global connection timeouts on SMTP and NNTP servers. For more information about setting connection timeouts, see Setting Connection Timeouts.
Setting Connection Timeouts by Editing the Metabase
IIS 6.0 provides three metabase properties, ConnectionTimeout, HeaderWaitTimeout, and MinFileBytesPerSec, which you can use to set different types of connection timeouts. In IIS 6.0, these properties replace the ServerListenTimeout metabase property, which is no longer used for the WWW service but can be used for the FTP, SMTP, and NNTP services.
Setting connection timeouts
The ConnectionTimeout metabase property specifies the amount of time (in seconds) that the server waits before disconnecting an inactive connection. IIS applies this timeout limit after the client sends the first request to the server and the client is idle. The default value is 120 seconds for the WWW and FTP services (global settings); 120 seconds for individual Web and FTP sites; and 10 minutes for the SMTP and NNTP services. (In IIS Manager, when you change the value of the ConnectionTimeout property, you change this setting.)
For security reasons, the ConnectionTimeout property cannot be disabled. Thus, if you try to set the ConnectionTimeout property to 0, the property retains its previous setting.
Setting request timeouts
The HeaderWaitTimeout metabase property specifies the amount of time (in seconds) that the server waits for the client computer to send all HTTP headers for a request (indicated by a double carriage return) before HTTP.sys resets the connection. The purpose of this property is to help impede a type of denial of service attack that attempts to exhaust connection limits and keep those connections connected. You can apply this connection timeout only at the WWW service level.
For security reasons, the HeaderWaitTimeout property cannot be disabled. Thus, if you try to set the HeaderWaitTimeout property to 0, the property retains its previous setting.
Setting response timeouts
TheMinFileBytesPerSecmetabase property determines the length of time that the client has to receive the server's entire response to its request. If the client computer does not receive the entire HTTP response within the interval set by the time-out value (by default, 240 bytes per second), HTTP.sys terminates the connection. You can apply this connection timeout only at the WWW service level.
Configuring the MinFileBytesPerSec metabase property prevents a client computer from sending a request for a large response (such as a file download) and then receiving the response at a maliciously slow rate that is meant to consume resources on the server and potentially interrupt service for other client computers.
The time-out period is calculated by dividing the size of the entire response (including headers) by the value of the MinFileBytesPerSec property to obtain a maximum allowable response time, in seconds. For example, a 2-KB response (2,048 bytes) is allowed 8.5 seconds to complete if MinFileBytesPerSec has the default value of 240 bytes per second.
To accommodate very slow applications, you can disable the MinFileBytesPerSec property by setting the value to 0.
Reference to Default Time-out Settings
Additional IIS 6.0 metabase properties set time-out values for ASP, Common Gateway Interface (CGI) scripts, and Internet database connection pooling. Table 6.11 gives a summary of the metabase properties for setting timeouts and the default time-out limit for each property. For information about configuration options, see Code Examples to Configure Metabase Properties. The final column of the table indicates which properties can alternatively be updated in IIS Manager.
Table 6.11 Default Time-out Values for IIS 6.0
| Metabase Property | Default Time-Out Value | Configured in IIS Manager |
|---|---|---|
AspQueueTimeout |
Unlimited |
|
AspScriptTimeout |
90 seconds |
Yes |
AspSessionTimeout |
20 minutes |
Yes |
CGITimeout |
300 seconds |
Yes |
ConnectionTimeout |
120 seconds (Web and FTP); 10 minutes (SMTP and NNTP) |
Yes |
HeaderWaitTimeout |
None (Turned off by default.) |
|
MinFileBytesPerSec1 |
240 bytes per second |
|
PoolIdcTimeout |
None (Turned off by default.) |
1 This metabase property cannot be modified in IIS Manager, but it can be modified by adding the MinFileBytesPerSec entry to the Windows registry.
For more information about ASP–related properties and counters, see Monitoring ASP Performance. For information about the registry path for the MinFileBytesPerSec entry, see Global Registry Entries.
Another way to limit connections to your Web server is to use bandwidth throttling. For information, see Throttling Bandwidth to Manage Service Availability. A related way to manage resources is to limit the number of simultaneous connections to your sites and server. For information about limiting connections, see Limiting Connections to Manage Resources.