0

I have a mail server, Debian Linux 2.4.31, which is dropping TCP connections and basically being unavailable. I have iptables running on it and its pretty much very restrictive.

When I run "netstat -tanp|wc -l" i get 366 while "cat /proc/net/ip_conntrack | wc -l" gives me 124172 because I had increased /proc/sys/net/ipv4/ip_conntrack_max since I would see "ip_conntrack: table full, dropping packet." in dmesg output, and yes I am still seeing those although I did increase the max.

I would/should enable tcp syn cookies, but for some odd reason the kernel was compiled without it so I can't go forward without recompiling it.

I just wanted to know if these symptoms describe a DDOS so I would go forward in adding tcp_syn_cookies.

Thanks.

A4A
  • 78
  • 1
  • 7

2 Answers2

2

The only way to truely know will be to examine the traffic coming in. Take a network capture using tcpdump from your external facing interface over a period of time.

tcpdump -s 1500 -w <filename>.pcap -i <interface>

^C it when you think that you've captured enough data. Then ideally copy the pcap file to a machine with a GUI and examine with Wireshark.

This should be able to give you a good idea of where to begin next. Chances are that you aren't dealing with a DDOS as such, but potentially a large amount of spam or port scans.

Dan Carley
  • 25,189
  • 5
  • 52
  • 70
  • i wouldn't use tcpdump on a production server without the -p flag – Istvan Sep 05 '09 at 11:23
  • I just captured some traffic, problem is this server does handle lots of traffic so its tough to pinpoint irregular packets. I'm not an expert on wireshark so is there an expressions that says "show me SYNs without ACKs" hmmm maybe if i count tcp.flags.reset? – A4A Sep 05 '09 at 14:11
  • here's a follow up: I gave up on proving that I am under DDOS and I booted a kernel that does have tcp_syn_cookies and now I'm getting "possible SYN flooding on port 25. Sending cookies" although they are few, 10 messages for the past 17 hours. But the server is running great, no dropped TCP packets and "cat /proc/net/ip_conntrack | wc -l" gives 9676, which is two orders of magnitude less than what I had previously. Thank you all. – A4A Sep 06 '09 at 08:18
0

What is the state of the netstat -antp connections?

I guess you have connections somehow got stuck and the entries remain until an RST packet is sent if have a flaky network somewhere between you, and the clients accessing your server, it can cause certain packets are dropped and your table will be full.

Better to check the entries and try to figure out what is pattern for the not properly closed connections.

It might also happen because you NIC is broken some way.

Istvan
  • 2,562
  • 3
  • 20
  • 28
  • Thanks. eth0 looks fine: RX packets:266838645 errors:7 dropped:0 overruns:0 frame:4 TX packets:301851360 errors:0 dropped:0 overruns:0 carrier:0 Ok it has 7 errors, but I doubt it would be the cause with that much traffic, right? You know what I just checked netstat as you suggested, I have 106 TCP connections in two states, either SYN_SENT or TIME_WAIT nothing else, stupid thing is these are going to another machine of mine that has spamassassin :( Oops, am I DDOSing myself? – A4A Sep 05 '09 at 10:23
  • Umm how do you insert line breaks? Does this work? – A4A Sep 05 '09 at 10:24
  • please paste it again and press the 010101 formating – Istvan Sep 05 '09 at 11:23