On our Linux server from time to time we get well known SYN flood message:
possible SYN flooding on port 80
this is probably not an attack because website traffic is big.
However from some time those messages began to come every ~60 seconds. What i mean is following:
Aug 16 01:22:44 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:23:45 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:25:05 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:26:06 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:27:13 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:28:13 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:29:14 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:30:39 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:31:41 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:32:53 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:33:57 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:35:03 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:36:27 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:37:30 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
Aug 16 01:38:44 amadeus kernel: possible SYN flooding on port 80. Sending cookies.
is this just by accident or not? Because of the traffic, I will not worry for lots of "possible SYN flooding" messages, but those are every 60 sec.
Here are our custom settings in /etc/rc.local
# 3M
echo 3145728 > /proc/sys/net/netfilter/nf_conntrack_max
# 256k
echo 262144 > /proc/sys/net/ipv4/tcp_max_orphans
echo 1048576 1572864 4194304 > /proc/sys/net/ipv4/tcp_mem
# Neighbour Table Overflow
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 16384 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
# Disable ip_forward
echo "0" > /proc/sys/net/ipv4/ip_forward
# Enable SYN Cookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo 40 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_recv
(Sorry if this question is a duplicate but I did not found any similar problem).
I had a read though a similar question and all the answers, and i think you should try what @Jeff is suggesting in his answer (which isnt the accepted answer), which is raising the listen backlog of both the application running on port 80.
It appears that the message occurs when the "queue" or "backlog" for incoming connections is being filled.
Eg. for apache2 he writes:
To solve this, i add the following line to /etc/apache2/ports.conf or one of the other .conf files, that will be loaded by apache (/etc/apache2/apache2.conf should be also ok):
And then raise the tcp_max_syn_backlog to the same