Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: DoS attack against TCP services

Now the server has over 5000 TIME_WAIT connections.

netstat -a -n | grep TIME_WAIT
tcp        0      0          TIME_WAIT
tcp        0      0       TIME_WAIT
tcp        0      0       TIME_WAIT
tcp        0      0       TIME_WAIT
tcp        0      0          TIME_WAIT
tcp        0      0       TIME_WAIT
tcp        0      0        TIME_WAIT
tcp        0      0       TIME_WAIT
tcp        0      0        TIME_WAIT

It seems to be a result of the named. lsof shows that the connections are not owned by named. lsof doesn't show any of the TIME_WAIT connections. So stopping and restarting named doesn't delete the connections.

Any more things that could be interessing for a problem report?


On Wed, 4 Feb 2015, Christos Zoulas wrote:

Date: Wed, 4 Feb 2015 15:40:00 +0000 (UTC)
From: Christos Zoulas <>
Subject: Re: DoS attack against TCP services

In article <>,
<> wrote:

The problem occurred again. The kernel has over 3,000 connections in
TIME_WAIT state. The compounds are after an hour wait not disappeared.
There are more and more connections in the TIME_WAIT state. My settings

net.inet.tcp.mslt.enable = 1
net.inet.tcp.mslt.loopback = 2
net.inet.tcp.mslt.local = 10
net.inet.tcp.mslt.remote = 60
net.inet.tcp.mslt.remote_threshold = 6

The last few times I have restarted the server in order to solve the
problem. Frequent reboots but very inconvenient for a server.

Does anyone have instructions what information I can still gather to post
a bug report? The statement "connections in the TIME_WAIT status are not
degraded" are probably not sufficient to find the problem.

Thank you for your efforts

Can you find what daemon/process is being connected to and from where?


Home | Main Index | Thread Index | Old Index