Re: [twincling] socket port queues...

Thu, 26 Jul 2007 22:39:15 -0700 

On Tue, 24 Jul 2007, Imran Khan wrote:

> Date: Tue, 24 Jul 2007 06:21:59 -0700 (PDT)
> From: Imran Khan <[EMAIL PROTECTED]>
> Reply-To:  <[email protected]>
> To:  <[email protected]>
> Subject: [twincling] socket port queues...
> 
> Hi All,
> 
> Facing an interesting problem and now i am stuck as i know nothing beyond 
> this. Its  problem of port queue outage and i am desperately looking out for 
> some leads.. kindly help. 
> 
> Following is the information...
> 
> Netstat was taken while this was not allowing any more connection ( client- 
> server program )
> 
>   Run "netstat -ano"
> 
>   => tcp4       0       0       *.5000          *.*     LISTEN
> 
>          so_options: (ACCEPTCONN|REUSEADDR)
>          q0len:0  qlen:8  qlimit:5    so_state:()
>          timeo:0  uid:301
>          so_special: (LOCKABLE|MEMCOMPRESS|DISABLE)
>          so_special2: (PROC)
>          sndbuf:
>                 hiwat:262144  lowat:4096  mbcnt:0  mbmax:1048576
>          rcvbuf:
>                 hiwat:262144  lowat:1  mbcnt:0  mbmax:1048576
>                 sb_flags: (SEL)
>          TCP:
>          mss:1460 flags: (RFC1323)
> 
> 
>   => tcp4       0       0       *.5000          *.*     LISTEN
> 
>          so_options: (ACCEPTCONN|REUSEADDR)
>          q0len:0  qlen:0  qlimit:5    so_state:()
>          timeo:0  uid:301
>          so_special: (LOCKABLE|MEMCOMPRESS|DISABLE)
>          so_special2: (PROC)
>          sndbuf:
>                 hiwat:262144  lowat:4096  mbcnt:0  mbmax:1048576
>          rcvbuf:
>                 hiwat:262144  lowat:1  mbcnt:0  mbmax:1048576
>                 sb_flags: (SEL)
>          TCP:
>          mss:1460 flags: (RFC1323)
> 
> 
> o- What can be the possible reasons for queue outage ?  5 queues were limit 
> for server sockets.. !
> 
> Thanking you all in anticipation.
> 
> - Imran.
> 

Hello Imran:

The code is running on an IBM AIX box.

As a way to strengthen TCP/IP stack against SYN flood attacks, 
modern UNIXs maintain two queues of incoming connections
 . SYN (half-open socket) connection q0
 . SYN-ACK (connected socket) connection q

So, socket queue is a defence mechanism against SYN attacks.

Try running the following command and let me know how it goes.
/usr/sbin/no -o clean_partial_conns=1

Now run the client server app. It should work.

Actually, there are many other tweaks that need to be done
across different UNIX variants to safeguard against various attacks.

For the interested, take a look at
http://www.cymru.com/Documents/ip-stack-tuning.html

Hope this helps.

thanks
Saifi.

Reply via email to