Re: Loaded server or syn-flood?
On 15 Jan 2004 15:40 CET you wrote:
> > TCP: drop open request from [ip-number]/44749
> > TCP: drop open request from [ip-number]/44748
> > TCP: drop open request from [ip-number]/44667
> > NET: 120 messages suppressed.
> I'm afraid we need morei info. What is the time interval between the
> messages, how long did it last? Were the IP numbers all different or
> not? Do you monitor load and sysstat on your server? If yes, what does
> it say?
I dont really monitor the serverload as there was no need to do it before ...
havn't really thought about it ... until now.
> > It's equipped with two p3-600mhz cpu's and 1gb ram.
> > Vanilla kernel 2.4.21 and debian unstable.
> Definitiley upgrade the kernel do 2.4.24, there are several security
> issues in .21
Ok. I've upgraded it to 2.4.24 now. I had the modprobe workaround
enabled in my .21, didnt know there was so many security issues.
> > As this problem seems kind of unresolved it's
> > hard to fix it by bumping up buffers or so.
> > What's your experience?
> Our production kernels are compiled with TCP SYN Cookie support, so the
> servers can survive a SYN flood as long as it doesn't max out the
> connection. Apart form that, tight monitoring of resource usage is
> necessary, to ensure the system can physically cope with the load.
> Best of luck and send more info if you seek a better advice.
I've also enabled TCP SYN Cookie support now, let's see what happens.