3

I am running a server that is running a service on port 59380. There are more than 1000 machines out there connecting to that service. Once I need to restart the service all those machines are connecting at the same time.

That made some trouble as I have seen that log entry in kern.log

TCP: Possible SYN flooding on port 59380. *Sending cookies*.  Check SNMP counters.

So I changed sysctl net.ipv4.tcp_syncookies to 0 because the endpoints to not handle tcp syn cookies correctly. Finally I restarted my network to get the changes in production

Next time I had to restart the service, the following message was logged

TCP: Possible SYN flooding on port 59380. *Dropping request*.  Check SNMP counters.

How can I prevent the system for doing such actions? All necessary counter measures are done by iptables...

mlaug
  • 202

2 Answers2

19

Do not disable SYN cookies, that is incredibly counter-productive, as you can see, instead of the host falling back to cookie'd sockets, it simply drops it.

The correct thing to do is adjust net.ipv4.tcp_max_syn_backlog to a high enough value that it no longer fires this warning.

You will probably also want to adjust the TCP stack in general to have more memory - a cursory Google for "Linux TCP Tuning" should provide what you need.

Olipro
  • 3,087
  • It should be noted that 65535 is the maximum possible value. – stamster Apr 25 '18 at 13:11
  • It should also be noted that in the listen man page, it says: "When syncookies are enabled there is no logical maximum length and this setting [tcp_max_syn_backlog] is ignored. See tcp(7) for more information." – Halfgaar Nov 29 '21 at 17:09
0

Also read following pages . Maybe should check again .

http://lwn.net/Articles/277146/

https://lkml.org/lkml/2008/2/5/167

Omid Kosari
  • 630