On Wed, 11 May 2011, Shachar Shemesh wrote:
This might not be SYN attack at all. This might be just packets arriving too fast to be handled. Could it be that during those times that the "attack" is arriving on something particularly interesting is on, and the number of listeners spikes up, and overflows the VPS's capacity?
No. First, we have a 5mbps/5mbps pipe and it was nowhere near capacity at the time this happened. Later we set up a work-around where we streamed to the US and relayed the stream back to Paris, and the listener numbers were higher still with no problems.
A 5mbps pipe should be able to handle 30+ listeners at 128kbps. I had between 5 and 10 when the incident occured, and we peaked at 16 later with no disruption at all. None of these log messages were seen later either.
I've been administering servers with Icecast/Shoutcast servers running for 10 years and have never seen this at all.
Is there syn cookies statistics saying how many SYNs vs. how many ACKs arrive?
Where would I see this?
If not, try to disable SYN cookies, and see whether the number of connections in SYN_RECV state (nestat -a) is steady of increasing over the minute or so after disabling cookies. If it is not increasing, then this is not an attack.
Well I will have to wait until it happens again. The fact that it only shows up in the log when I have been broadcasting is rather suspicious.
Geoff. _______________________________________________ Linux-il mailing list [email protected] http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
