kernel: TCP: Possible SYN flooding on port 80. Sending cookies.

Discussion in 'Install/Configuration' started by track1, Oct 10, 2011.

  1. track1

    track1 New Member

    Hello,

    under litespeed server I'm getting these errors at /var/log/messages :


    Oct 10 19:09:27 01 kernel: TCP: Possible SYN flooding on port 80. Sending cookies.
    Oct 10 19:09:27 01 kernel: net_ratelimit: 146 callbacks suppressed
    Oct 10 19:09:22 01 last message repeated 9 times
    Oct 10 19:09:22 01 kernel: TCP: Possible SYN flooding on port 80. Sending cookies.
    Oct 10 19:09:22 01 kernel: net_ratelimit: 677 callbacks suppressed
    Oct 10 19:09:17 01 last message repeated 9 times
    Oct 10 19:09:16 01 kernel: TCP: Possible SYN flooding on port 80. Sending cookies.
    Oct 10 19:09:16 01 kernel: net_ratelimit: 696 callbacks suppressed
    Oct 10 19:09:12 01 last message repeated 9 times
    Oct 10 19:09:11 01 kernel: TCP: Possible SYN flooding on port 80. Sending cookies.
    Oct 10 19:09:11 01 kernel: net_ratelimit: 1309 callbacks suppressed
    Oct 10 19:09:07 01 last message repeated 13 times
    Oct 10 19:08:52 01 kernel: TCP: Possible SYN flooding on port 80. Sending cookies.
    Oct 10 19:08:52 01 kernel: net_ratelimit: 3 callbacks suppressed
    Oct 10 19:07:53 01 last message repeated 9 times
    Oct 10 19:07:53 01 kernel: TCP: Possible SYN flooding on port 80. Sending cookies.
    Oct 10 19:07:53 01 kernel: net_ratelimit: 233 callbacks suppressed



    Server is not under any DoS attacks, is simply getting HUGE traffic.
    Is probably caused by some tcp setting not correctly tuned. I have been trying with sysctl.conf settings but no way


    some info:

    #netstat -ant | grep 80 | wc -l
    35643

    #netstat -ant | grep 80 | awk '{print $6}' | sort | uniq -c | sort -n
    1 CLOSING
    2 CLOSE_WAIT
    3 LISTEN
    5 LAST_ACK
    49 FIN_WAIT1
    71 FIN_WAIT2
    208 SYN_RECV
    498 ESTABLISHED
    34751 TIME_WAIT
  2. webizen

    webizen New Member

    pls paste result of
  3. track1

    track1 New Member

    current config:

    cat /proc/sys/net/ipv4/tcp_fin_timeout
    3

    cat /proc/sys/net/ipv4/tcp_syncookies
    1




    disabling tcp_syncookies, i get dropped connection messages instead "Sending Cookies"
  4. NiteWave

    NiteWave Administrator

    can you list the top 5 IPs in this status?
  5. track1

    track1 New Member

    there aren't any ip with more than 10 or 15 time out connections, there are thousands of ips with about 5-15 connections.
  6. webizen

    webizen New Member

    doesn't seem to be lsws related.

    try following to reduce # of time_wait connections.
  7. track1

    track1 New Member

    tcp_tw_recycle was actually set a 1

    doing some tests, disabling litespeed smart keep alive seems to lower time_wait connections to 9.000-10.000

Share This Page