Correct me if I am wrong, but isn't such logging necessary to detect syn flood attacks(expected behavior)?
On Thu, May 25, 2023 at 7:29 PM Mark Thomas <ma...@apache.org> wrote: > On 25/05/2023 09:14, Paul Baines wrote: > > Hello! We upgraded a Windows Tomcat instance from 8.5.41 to 8.5.84. This > Tomcat instance is behind a load balancer. Since the upgrade the Tomcat > access log (AccessLogValve) has an "empty" entry with response 400 for > every TCP half-open health check from the load balancer. Because the health > check is every 5 seconds from redundant load-balancers we are getting quite > alot of junk in the access log. The TCP half-open check is:LB --> SYN > --> Tomcat 443LB <-- SYN/ACK <-- Tomcat 443LB --> FIN --> Tomcat 443LB > <-- FIN/ACK <-- Tomcat 443Access log excerpt:[03/May/2023:00:13:58 +0200] > 10.20.10.2 - "-" - "-" "-" 400 0 - -[03/May/2023:00:13:59 +0200] 10.20.10.3 > - "-" - "-" "-" 400 0 - -[03/May/2023:00:14:03 +0200] 10.20.10.2 - "-" - > "-" "-" 400 0 - -[03/May/2023:00:14:04 +0200] 10.20.10.3 - "-" - "-" "-" > 400 0 - -[03/May/2023:00:14:08 +0200] 10.20.10.2 - "-" - "-" "-" 400 0 - > -[03/May/2023:00:14:09 +0200] 10.20.10.3 - "-" - "-" "-" 400 0 - > -[03/May/2023:00:14:13 +0200] 10.20.10.2 - "-" - "-" "-" 400 0 - - > > We can reproduce this effect from Windows Powershell > with:Test-NetConnection -ComputerName tomcat.server.name -RemotePort 443 > > My question is, is this expected behaviour? > > Yes. > > > Is TCP half-open health check supported by Tomcat? > > Yes. But you are going to see 400 responses in the logs for each empty > request. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
