SYN flooding

SYN flooding

Geoff Shang geoff at QuiteLikely.com
Wed May 11 20:19:41 IDT 2011 

Hi,

I last week set up a VPS that we're using to run a little Internet radio 
station using Icecast and a handful of other stuff.  I've done this before 
and have even done so professionally, and I've never had to deal with 
this.

Yesterday and today at specific times, I found myself unable to maintain a 
solid connection.  OUr bitrate would fluctuate wildly, with it going as 
low as 2 kbps when we should be able to push a steady 128 kbps stream.

I was able to stream solidly to a server in the USA and pull relay it back 
to the VPS in Paris, and others were able to stream just fine, so I 
started smelling a rat.

And I found it:

May 11 14:33:25 patronus kernel: net_ratelimit: 8 callbacks suppressed
May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port 8000. 
Sending cookies.
May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port 8000. 
Sending cookies.
May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port 8000. 
Sending cookies.
May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port 8000. 
Sending cookies.
May 11 14:33:26 patronus kernel: TCP: Possible SYN flooding on port 8000. 
Sending cookies.
May 11 14:33:26 patronus kernel: TCP: Possible SYN flooding on port 8000. 
Sending cookies.
May 11 14:33:26 patronus kernel: TCP: Possible SYN flooding on port 8000. 
Sending cookies.
May 11 14:33:27 patronus kernel: TCP: Possible SYN flooding on port 8000. 
Sending cookies.
May 11 14:33:27 patronus kernel: TCP: Possible SYN flooding on port 8000. 
Sending cookies.
May 11 14:33:27 patronus kernel: TCP: Possible SYN flooding on port 8000. 
Sending cookies.

Port 8000 is our streaming server.

Since this only seems to happen at certain times and not others, I'm 
thinking that it's personal rather than opportunistic.

I could change the server port, but I expect that if it is personal, this 
won't stop them for long.

I have /proc/sys/net/ipv4/tcp_syncookies enabled.

Is there anything else I can do before I go talk to our hosting provider?

Geoff.

More information about the Linux-il mailing list