On 11/05/11 20:19, Geoff Shang wrote:
Hi,
I last week set up a VPS that we're using to run a little Internet
radio station using Icecast and a handful of other stuff. I've done
this before and have even done so professionally, and I've never had
to deal with this.
Yesterday and today at specific times, I found myself unable to
maintain a solid connection. OUr bitrate would fluctuate wildly, with
it going as low as 2 kbps when we should be able to push a steady 128
kbps stream.
I was able to stream solidly to a server in the USA and pull relay it
back to the VPS in Paris, and others were able to stream just fine, so
I started smelling a rat.
And I found it:
May 11 14:33:25 patronus kernel: net_ratelimit: 8 callbacks suppressed
May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port
8000. Sending cookies.
May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port
8000. Sending cookies.
May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port
8000. Sending cookies.
May 11 14:33:25 patronus kernel: TCP: Possible SYN flooding on port
8000. Sending cookies.
May 11 14:33:26 patronus kernel: TCP: Possible SYN flooding on port
8000. Sending cookies.
May 11 14:33:26 patronus kernel: TCP: Possible SYN flooding on port
8000. Sending cookies.
May 11 14:33:26 patronus kernel: TCP: Possible SYN flooding on port
8000. Sending cookies.
May 11 14:33:27 patronus kernel: TCP: Possible SYN flooding on port
8000. Sending cookies.
May 11 14:33:27 patronus kernel: TCP: Possible SYN flooding on port
8000. Sending cookies.
May 11 14:33:27 patronus kernel: TCP: Possible SYN flooding on port
8000. Sending cookies.
This might not be SYN attack at all. This might be just packets arriving
too fast to be handled. Could it be that during those times that the
"attack" is arriving on something particularly interesting is on, and
the number of listeners spikes up, and overflows the VPS's capacity?
Is there syn cookies statistics saying how many SYNs vs. how many ACKs
arrive? If not, try to disable SYN cookies, and see whether the number
of connections in SYN_RECV state (nestat -a) is steady of increasing
over the minute or so after disabling cookies. If it is not increasing,
then this is not an attack.
Shachar
Port 8000 is our streaming server.
Since this only seems to happen at certain times and not others, I'm
thinking that it's personal rather than opportunistic.
I could change the server port, but I expect that if it is personal,
this won't stop them for long.
I have /proc/sys/net/ipv4/tcp_syncookies enabled.
Is there anything else I can do before I go talk to our hosting provider?
Geoff.
_______________________________________________
Linux-il mailing list
[email protected]
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com
_______________________________________________
Linux-il mailing list
[email protected]
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
