-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rallavagu,
On 5/2/16 3:20 PM, Rallavagu wrote: > Tomcat 7.0.47 running on Linux Upgrade, dude. Disclosed vulnerabilities are available for your version of Tomcat. > I have started investigating after noticing following messages > from "dmesg" output on a production server. > > "possible SYN flooding on port 28080. Sending cookies." > > Started looking into this as the connections to this server are > timing out (Connect Timeout errors). Upon further investigation, it > appears to me that Linux's kernel maintain two different queues one > for SYN and one for ESTABLISHED/accept connections. UNIX sockets don't have an "accept" backlog at all for ESTABLISHED connections. "accept" is a queue where connections are put when the kernel has accepted the connection, but the application has not. Once the application accepts the connection, it's no longer in the "accept" queue. > Both are determined by following parameters. > > $ cat /proc/sys/net/ipv4/tcp_max_syn_backlog 2048 > > $ cat /proc/sys/net/core/somaxconn 128 There are two separate backlogs, but they don't correspond to what you said above. > Also, it appears that the second parameter (accept count) is > determined by the application. Correct, somewhat. See below. > For tomcat it defaults to 100. As per this document - > http://blog.dubbelboer.com/2012/04/09/syn-cookies.html above two > parameters could be tuned to increase the accepted connections. > Wondering if Tomcat's "acceptCount" > (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html) > parameter is related to "somaxconn" for tuning. Oddly enough, the kernel has a backlog that the application CANNOT control. If the application requests a backlog, it will be separate from the kernel's backlog. There is nothing you can do at the Tomcat/Java/application level to avoid a SYN attack. If you are getting a SYN attack, then you need to increase your SYN backlog, or tweak some of the TCP handshake timeouts to eliminate connections that aren't actually doing anything. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlcqKfQACgkQ9CaO5/Lv0PDhjwCeJgeQaP9+SyQAQlJyUtOsIgSa sPAAoJ69oV3qiPJxk8k37ZeCtLVyyEbE =O3GA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
