[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Loaded server or syn-flood?

On 15 Jan 2004 15:40 CET you wrote:

> > TCP: drop open request from [ip-number]/44749
> > TCP: drop open request from [ip-number]/44748
> > TCP: drop open request from [ip-number]/44667
> > NET: 120 messages suppressed.
> I'm afraid we need morei info. What is the time interval between the
> messages, how long did it last? Were the IP numbers all different or
> not? Do you monitor load and sysstat on your server? If yes, what does
> it say?

I dont really monitor the serverload as there was no need to do it before ...
havn't really thought about it ... until now.

> > It's equipped with two p3-600mhz cpu's and 1gb ram.
> > Vanilla kernel 2.4.21 and debian unstable.
> Definitiley upgrade the kernel do 2.4.24, there are several security
> issues in .21

Ok. I've upgraded it to 2.4.24 now. I had the modprobe workaround 
enabled in my .21, didnt know there was so many security issues.

> > As this problem seems kind of unresolved it's
> > hard to fix it by bumping up buffers or so.
> > 
> > What's your experience?
> > 
> Our production kernels are compiled with TCP SYN Cookie support, so the
> servers can survive a SYN flood as long as it doesn't max out the
> connection. Apart form that, tight monitoring of resource usage is
> necessary, to ensure the system can physically cope with the load.
> Best of luck and send more info if you seek a better advice.
I've also enabled TCP SYN Cookie support now, let's see what happens.


Reply to: