0

One of my servers is getting DOS'ed - there are a large number of connections in the CLOSE_WAIT state which are preventing legitimate users from connecting to the system.

So is there any way to close the CLOSE_WAIT connection without killing the underlying server process? Killing the process would result in downtime which I want to avoid.

Is there any other way?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Heisnberg
  • 111
  • 1

1 Answers1

3

As far as I know there is no way to close the CLOSE_WAT connection without killing the process.

Perhaps you could use iptables and its recent module to stop multiple connection attempts in a short space of time to the same TCP server port and from the same IP.

Here an example (change eth0 for your network interface or just remove it):

iptables -N LOGDOS
iptables -A LOGDOS -m limit --limit 5/minute --limit-burst 5 -j ULOG --ulog-nlgroup 1 --ulog-prefix "LOGDOS" --ulog-cprange 0 --ulog-qthreshold 1
iptables -A LOGDOS -j DROP
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 27015 -m state --state NEW -m recent --set --name cssdos
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 27015 -m state --state NEW -m recent --update --name cssdos --seconds 60 --hitcount 4 -j LOGDOS
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 27015 -j ACCEPT

Short explanation:

  1. First 3 lines will be used by ulogd. It enables us to log the dropped traffic. We are creating a new iptables chain called LOGDOS.
  2. The 4th line accepts established connections.
  3. The 5th line will be used by the recent module to track new connections.
  4. The 6th line will be used by the recent module. In case there are more than 3 new connections from the same IP in less than 60 secs, it will be sent to the LOGDOS chain.
  5. The LOGDOS chain will use the ulogd daemon to write a log (for example in /var/log/ulog/syslogemu.log, it all depends on the ulog configuration) and by default it will drop the connection.

Hopefully this will work for you.

Gooseman
  • 346
  • 3
  • 5