NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Handling of DOS attacks in NetBSD 5

On Tue, Jan 04, 2011 at 09:36:30AM -0700, Sverre Froyen wrote:
> Hi,
> In the past, I have observed DOS attacks where a client connects to port 80 
> and then leaves the connection open indefinitely. Repeating the process can 
> easily tie up all available http processes.
> I recently upgraded several servers to NetBSD 5 and I now observe a slightly 
> modified behavior, presumably because of the accept_filter(9) addtion to the 
> kernel. Instead of http process starvation, I now observe between one and two 
> hundred TCP connections that are in the "ESTABLISHED" state (as reported by 
> netstat -s). Once this happens, the server denies additional HTTP requests.
> Here's a small fragment of a "netstat -an" output:
> tcp        0      0  x.x.x.x.80      x.x.x.x.3225     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3220     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3219     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3211     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3205     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3200     ESTABLISHED
> tcp        0      0  x.x.x.x.80      x.x.x.x.3196     ESTABLISHED
> Is there a way to terminate such a bogus connection individually? I notice 
> that "apachectl restart" leaves them open, whereas "apachectl stop" clears 
> them.


> How can I adjust the number of connections that the kernel allows? What is 
> the 
> resource use per connection? I'm thinking that if I could increase the limit 
> by, say, a hundredfold, I could turn it into a nuisance rather than an 
> emergency.
> Any other thoughts?
> Thanks,
> Sverre

Brad Harder
Method Logic Digital Consulting

Home | Main Index | Thread Index | Old Index