SYN flooding
Shachar Shemesh
shachar at shemesh.biz
Wed May 11 20:38:59 IDT 2011
On 11/05/11 20:19, Geoff Shang wrote:
> Hi,
>
> I last week set up a VPS that we're using to run a little Internet
> radio station using Icecast and a handful of other stuff. I've done
> this before and have even done so professionally, and I've never had
> to deal with this.
>
> Yesterday and today at specific times, I found myself unable to
> maintain a solid connection. OUr bitrate would fluctuate wildly, with
> it going as low as 2 kbps when we should be able to push a steady 128
> kbps stream.
>
> I was able to stream solidly to a server in the USA and pull relay it
> back to the VPS in Paris, and others were able to stream just fine, so
> I started smelling a rat.
>
> And I found it:
>
> May 11 14:33:25 patronus kernel: net_ratelimit: 8 callbacks suppressed
> May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port
> 8000. Sending cookies.
> May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port
> 8000. Sending cookies.
> May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port
> 8000. Sending cookies.
> May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port
> 8000. Sending cookies.
> May 11 14:33:26 patronus kernel: TCP: Possible SYN flooding on port
> 8000. Sending cookies.
> May 11 14:33:26 patronus kernel: TCP: Possible SYN flooding on port
> 8000. Sending cookies.
> May 11 14:33:26 patronus kernel: TCP: Possible SYN flooding on port
> 8000. Sending cookies.
> May 11 14:33:27 patronus kernel: TCP: Possible SYN flooding on port
> 8000. Sending cookies.
> May 11 14:33:27 patronus kernel: TCP: Possible SYN flooding on port
> 8000. Sending cookies.
> May 11 14:33:27 patronus kernel: TCP: Possible SYN flooding on port
> 8000. Sending cookies.
This might not be SYN attack at all. This might be just packets arriving
too fast to be handled. Could it be that during those times that the
"attack" is arriving on something particularly interesting is on, and
the number of listeners spikes up, and overflows the VPS's capacity?
Is there syn cookies statistics saying how many SYNs vs. how many ACKs
arrive? If not, try to disable SYN cookies, and see whether the number
of connections in SYN_RECV state (nestat -a) is steady of increasing
over the minute or so after disabling cookies. If it is not increasing,
then this is not an attack.
Shachar
>
> Port 8000 is our streaming server.
>
> Since this only seems to happen at certain times and not others, I'm
> thinking that it's personal rather than opportunistic.
>
> I could change the server port, but I expect that if it is personal,
> this won't stop them for long.
>
> I have /proc/sys/net/ipv4/tcp_syncookies enabled.
>
> Is there anything else I can do before I go talk to our hosting provider?
>
> Geoff.
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com
More information about the Linux-il
mailing list