RE: [suse-security] is it possible to disable SYN flooding protection for port 80?
Hi Kai,
don't worry about those log messages, it just means that there was
a high amount of traffic (SYN's in particular) detected on port 80
and that therefore the server will send out SYN cookies.
SYN cookies are a small amount of data that your server includes
in its answers to SYN packets, and that the foreign system(s)
will have to include in theyr response again (3way Handshake,
someone please correct me if I'm wrong here).
This was designed to prevent spoofed SYNs from exhausting
all resources on your server machine (by leaving tons of half-open
connections).
I would recommend that you don't turn that off, but thats just my
humble opinion.
hope this helps
Chris Burri
.-.
/v\ L I N U X
// \\ >I know KungFu!!<
/( )\
^^-^^
|--------+----------------------->
| | "Kai-H. |
| | Weutzing" |
| |
----------------------------------------------------------------------------------------------------------------------------------------| | | | An:
| | Kopie: | | Thema: [suse-security] is it possible to disable SYN flooding protection for port 80? | ----------------------------------------------------------------------------------------------------------------------------------------|
Hi, my webserver reports sometimes a Jan 20 14:02:11 xxxxxxxx kernel: possible SYN flooding on port 80. Sending cookies. Jan 20 14:02:11 xxxxxxxx kernel: klogd 1.3-3, ---------- state change ---------- Jan 20 14:02:11 xxxxxxxx kernel: Inspecting /boot/System.map-2.2.18 Jan 20 14:02:11 xxxxxxxx kernel: Loaded 10080 symbols from /boot/System.map-2.2.18. Jan 20 14:02:11 xxxxxxxx kernel: Symbols match kernel version 2.2.18. Jan 20 14:02:11 xxxxxxxx kernel: Loaded 258 symbols from 2 modules. So I think its no attack than a high traffic on my webserver. So what can I do? Is it possible to disable the SYN flood protection for port 80 (I didn't like to it) or can I modify the detection parameters of this protection routine? (I didn't like to read the kernel sources and re-compile it :-) Thx a lot... Kai EOT -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Am Montag, 21. Januar 2002 11:00 schrieb christian.burri@synecta.ch:
don't worry about those log messages, it just means that there was a high amount of traffic (SYN's in particular) detected on port 80 and that therefore the server will send out SYN cookies. (...) This was designed to prevent spoofed SYNs from exhausting all resources on your server machine (by leaving tons of half-open connections).
I would recommend that you don't turn that off, but thats just my humble opinion.
If you have a really busy server, and your requests come from a busy proxy (aol.com, t-online.de) your syn-flood protection could deny legitimate users. But I agree with you that this setting is useful and should not be deactivated if you don't have a loadbalancing cluster where the bottleneck is the public host. I would investigate further with tools like tcpdump and look if there are only packets to port 80 with the syn-bit set. If the other system does not try to fully establish the connection, the kernel does its best to prevent a DoS attack. I got messages from scandlogd that a ftp-server tries to port-scan me, and the first time I was about to shutdown my machine, but it was myself who activated the yast online update and the other server was responding very fast and send me all needed files without large gaps. If he tries to benchmark his system to see how many hits his webserver can support, this setting is probably not needed, but I would do this benchmark in a network not connected to other networks (esp. the internet) and switch this setting of for the duration of the benchmark. Peter
participants (2)
-
christian.burri@synecta.ch
-
Peter Wiersig