were these people just using p2p excessively - i.e. queuing loads of things in p2p software?
Seeing this in the event log doesnt neccisarily mean there is a problem.
Trying to not confuse things further I'll elaborate, but if you're not already familier with how TCP connections you'll probably
have to do some reading.
Under XP SP2 there is a 10 half-open connection queue; this queue does not restrict the total connections you have but rather just the connections that are not fully established. Lets say you are running a P2P application and you have an average response time of 100ms to each host your machine connects to. Using this example you would be able to establish a connection with 100 remote hosts per second (not that it matters because even on a very fast pipe you would probably saturate your bandwidth with less than 100 connections). It's possible that when you first launch your application it requests more than 10 connections which would fill the 10 half-open connection queue and would give you an error in your event log; however that queue would flush quickly as the connections became established. About the only legitimate traffic the queue would slow down at this rate would be when the application initially attempts to establish a lot of connections at once; and the amount that it would be slowed down would be very minimal (a couple-hundred miliseconds at most).
So if you can still connect to a lot of hosts with this queue why is it a good thing?
The way most worms work is they attempt to connect to
random addresses. Since the majority of the randomly generated addresses are going to be either empty or firewalled the worm would have to first wait for the connection to time-out before it can attempt to connect to another address. This process doesnt stop the spread of worms; what it effectivly does is slow the rate at which a machine can attempt to connect to
non-existant hosts.