thr3ads.net - Icecast - [Icecast] Possible SYN flooding on port 8000. Sending cookies [Jan 2014]

If this information is useful, please help other people find it:
Share via:

Chip

2014-Jan-24 13:39 UTC

[Icecast] Possible SYN flooding on port 8000. Sending cookies

Hi

*Problem *- I'm running Icecast in a VM container on OpenVZ. Syslog on the
hardware node (HN) shows these error messages:

Jan 23 18:43:05 HN kernel: [27469893.430615] possible SYN flooding on port
8000. Sending cookies.
Jan 23 21:37:40 HN kernel: [27480362.817944] possible SYN flooding on port
8000. Sending cookies.
Jan 23 23:43:50 HN kernel: [27487929.582025] possible SYN flooding on port
8000. Sending cookies.
Jan 24 00:27:34 HN kernel: [27490551.695794] possible SYN flooding on port
8000. Sending cookies.
Jan 24 07:45:04 HN kernel: [27516789.113919] possible SYN flooding on port
8000. Sending cookies.
Jan 24 13:11:31 HN kernel: [27536366.011845] possible SYN flooding on port
8000. Sending cookies.

The site below advises:

"This message can come a from a SYN
DDOS<http://en.wikipedia.org/wiki/SYN_flood>,
but in our case it was because of the amount of new connections one of our
application was receiving. The syslog message is emitted when the SYN
backlog of a socket is full."

http://blog.dubbelboer.com/2012/04/09/syn-cookies.html

Furthermore:


"While you see SYN flood warnings in logs not being really flooded,
your server is seriously misconfigured."

*A potential fix* - increase the net.ipv4.tcp_max_syn_backlog kernel
parameter. Or tune some more parameters like tcp_synack_retries and
netdev_max_backlog

*My question *- to fix this SYN flooding problem should I modify
net.ipv4.tcp_max_syn_backlog, net.core.somaxconn and the backlog size
passed to the listen() syscall or might there be an alternative easier fix
such as installing
2.3.3-kh9<https://github.com/karlheyes/icecast-kh/archive/icecast-2.3.3-kh9.tar.gz>
?

Potentially relevant information:

[root at VM ~]# icecast -v
Icecast 2.3.3

[root at HN ~]# uname -r
2.6.32-042stab057.1

[root at HN ~]# cat /etc/redhat-release
CentOS release 6.3 (Final)

In advance, many thanks for your advice and best regards

Chip Scooter
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.xiph.org/pipermail/icecast/attachments/20140124/90390d91/attachment.htm

"Thomas B. Rücker"

2014-Jan-25 09:10 UTC

head link

[Icecast] Possible SYN flooding on port 8000. Sending cookies

Hi,

On 01/24/2014 01:39 PM, Chip wrote:> *Problem *- I'm running Icecast in a VM container on OpenVZ. Syslog on
> the hardware node (HN) shows these error messages:
>
> Jan 23 18:43:05 HN kernel: [27469893.430615] possible SYN flooding on
> port 8000. Sending cookies.
Sounds like a (mis-)configuration at OS level. Nothing you can do in
Icecast.


Cheers

Thomas

Seemingly Similar Threads

Search for more maybe matching threads

Icecast - Jan 2014 - Possible SYN flooding on port 8000. Sending cookies

[Icecast] Possible SYN flooding on port 8000. Sending cookies

[Icecast] Possible SYN flooding on port 8000. Sending cookies

Seemingly Similar Threads