Possible syn flood on webserver

To: debian-isp@lists.debian.org
Subject: Possible syn flood on webserver
From: Emmanuel Lacour <elacour@easter-eggs.com>
Date: Wed, 16 Feb 2005 16:28:32 +0100
Message-id: <[🔎] 20050216152832.GH8458@easter-eggs.com>
Mail-followup-to: Emmanuel Lacour <elacour@easter-eggs.com>, debian-isp@lists.debian.org

Hi,

I've setup a server using sarge apache2-prefork/php4/kernel-2.6.8 with
really light website.  For the first high traffic usage of this server,
I limited apache2 to 1000 concurrent connections and we had 1000
concurrent connections with a traffic of about 10Mbit/s. No more
connections was possible so I increased it to 2000 and it went up to
2000. Same happens, I changed to 4000 and get 3000 apache processes. I
was able to connect locally wiht lynx, but not remotely. Ssh was slow
too, server load not much than 2, memory not full, cpu 50%idle. And I
saw in my logs a lot of "TCP: drop open request from ..." with a lot of
different sources ips. I then enable syncookies and got a lot of 

possible SYN flooding on port 80. Sending cookies.
dropping request, synflood is possible

but the server always didn't respond to new requests.

The server was using ip_conntrack for little firewalling, so I checked
/proc/net/ip_conntrack is less than /proc/sys/net/ipv4/ip_conntrack_max.
(was OK).

Any Idea of what happens? Was this a synflood, a misconfiguration (maybe
tcp related), ...? Any hints on tunning this configuration?


Thanks for any help:)

-- 
Emmanuel Lacour ------------------------------------ Easter-eggs
44-46 rue de l'Ouest  -  75014 Paris   -   France -  Métro Gaité
Phone: +33 (0) 1 43 35 00 37    -     Fax: +33 (0) 1 41 35 00 76
mailto:elacour@easter-eggs.com   -    http://www.easter-eggs.com

Reply to:

Prev by Date: Re: control panel
Next by Date: RE: Bandwidth Monitoring
Previous by thread: Re: control panel
Next by thread: fastest growing directories / files ?
Index(es):
- Date
- Thread