-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rallavagu,
On 5/2/16 3:20 PM, Rallavagu wrote:
> Tomcat 7.0.47 running on Linux
Upgrade, dude. Disclosed vulnerabilities are available for your
version of Tomcat.
> I have started investigating after noticing following messages
> from "dmesg" output on a production server.
>
> "possible SYN flooding on port 28080. Sending cookies."
>
> Started looking into this as the connections to this server are
> timing out (Connect Timeout errors). Upon further investigation, it
> appears to me that Linux's kernel maintain two different queues one
> for SYN and one for ESTABLISHED/accept connections.
UNIX sockets don't have an "accept" backlog at all for ESTABLISHED
connections. "accept" is a queue where connections are put when the
kernel has accepted the connection, but the application has not. Once
the application accepts the connection, it's no longer in the "accept"
queue.
> Both are determined by following parameters.
>
> $ cat /proc/sys/net/ipv4/tcp_max_syn_backlog 2048
>
> $ cat /proc/sys/net/core/somaxconn 128
There are two separate backlogs, but they don't correspond to what you
said above.
> Also, it appears that the second parameter (accept count) is
> determined by the application.
Correct, somewhat. See below.
> For tomcat it defaults to 100. As per this document -
> http://blog.dubbelboer.com/2012/04/09/syn-cookies.html above two
> parameters could be tuned to increase the accepted connections.
> Wondering if Tomcat's "acceptCount"
> (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html)
> parameter is related to "somaxconn" for tuning.
Oddly enough, the kernel has a backlog that the application CANNOT
control. If the application requests a backlog, it will be separate
from the kernel's backlog.
There is nothing you can do at the Tomcat/Java/application level to
avoid a SYN attack. If you are getting a SYN attack, then you need to
increase your SYN backlog, or tweak some of the TCP handshake timeouts
to eliminate connections that aren't actually doing anything.
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlcqKfQACgkQ9CaO5/Lv0PDhjwCeJgeQaP9+SyQAQlJyUtOsIgSa
sPAAoJ69oV3qiPJxk8k37ZeCtLVyyEbE
=O3GA
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org