5

On our Linux server from time to time we get well known SYN flood message:

possible SYN flooding on port 80

this is probably not an attack because website traffic is big.

However from some time those messages began to come every ~60 seconds. What i mean is following:

Aug 16 01:22:44 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:23:45 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:25:05 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:26:06 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:27:13 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:28:13 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:29:14 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:30:39 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:31:41 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:32:53 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:33:57 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:35:03 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:36:27 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:37:30 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:38:44 amadeus kernel: possible SYN flooding on port 80. Sending cookies.

is this just by accident or not? Because of the traffic, I will not worry for lots of "possible SYN flooding" messages, but those are every 60 sec.

Here are our custom settings in /etc/rc.local

# 3M
echo 3145728 > /proc/sys/net/netfilter/nf_conntrack_max

# 256k
echo 262144 > /proc/sys/net/ipv4/tcp_max_orphans

echo 1048576 1572864 4194304 > /proc/sys/net/ipv4/tcp_mem

# Neighbour Table Overflow
echo  4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo  8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 16384 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle

# Disable ip_forward
echo "0" > /proc/sys/net/ipv4/ip_forward

# Enable SYN Cookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo 40 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_recv

(Sorry if this question is a duplicate but I did not found any similar problem).

Nick
  • 786
  • 2
  • 12
  • 37

1 Answers1

4

I had a read though a similar question and all the answers, and i think you should try what @Jeff is suggesting in his answer (which isnt the accepted answer), which is raising the listen backlog of both the application running on port 80.

It appears that the message occurs when the "queue" or "backlog" for incoming connections is being filled.

Eg. for apache2 he writes:

To solve this, i add the following line to /etc/apache2/ports.conf or one of the other .conf files, that will be loaded by apache (/etc/apache2/apache2.conf should be also ok):

ListenBackLog 5000

And then raise the tcp_max_syn_backlog to the same

sudo sysctl -w net.ipv4.tcp_max_syn_backlog=5000
Community
  • 1
thelogix
  • 389
  • 1
  • 7
  • we did ListenBackLog 8192 and net.ipv4.tcp_max_syn_backlog=8192 and for the moment syn cookies message dissipated. we will see if this will have positive effect on our traffic. – Nick Aug 20 '14 at 12:43