4

I'm trying to simulate a TCP SYN flood to tune a web server (planning to deploy on AWS).

I setup a 'target' VM, disabled iptables and running hping (hping -p 80 -i u1000 -c 1000 -S destaddr) from couple of local 'source' machines (filtering RST in OUTPUT chain of those).

I was expecting to see 1000 SYN_RECV records in netstat output of the target server, but I only see 256 max (256 per each 'source' machine). I seems hitting some limit on 'target' machine and can't find where it is. tcp_max_syn_backlog is increased to 8096.

Any idea where this limit is set?

Alex I
  • 81
  • 3
  • Do you all the requests leaving the source machine in tcpdump/wireshark? Do you see the requests on the incoming interface on the target in wireshark? – Zoredache Jun 20 '13 at 23:45
  • Yes, I see all 1000 requests on target machine (tcpdump) – Alex I Jun 21 '13 at 13:31

1 Answers1

2

OK, so I asked same question on webhostingtalk and though didn't get a direct answer it helped to widen the horizon :)

Basically, I ignored application level (webserver) limits. But this nice gentlemen from Netherland dug deeper and posted his very relevant findings here:

http://blog.dubbelboer.com/2012/04/09/syn-cookies.html

Basically the web server (I was using the nginx) is passing a constant (listen backlog limit) to listen function, it is defined here:

https://github.com/git-mirror/nginx/...x_config.h#L97

define NGX_LISTEN_BACKLOG 511

So kernel limits are not even in play yet.

Nginx constant is compiled in so I quickly checked apache - luckily it is configurable:

http://httpd.apache.org/docs/2.0/mod...#listenbacklog

So I set it to 8k and got what I needed (well, 2 packets lost:

source:
hping -S -c 20000 -i u20 -p 80 target

target:
netstat -nta | grep SYN_RECV | wc 8192 49152 729088

Finally, my original 256 connections limit was actually due to the fact that I initially sent requests to port 22 (and sshd obviously has tcp connection backlog set at 256).

Alex I
  • 81
  • 3