[Icecast] Possible SYN flooding on port 8000. Sending cookies

Chip chiapas at aktivix.org
Fri Jan 24 13:39:28 UTC 2014


Hi

*Problem *- I'm running Icecast in a VM container on OpenVZ. Syslog on the
hardware node (HN) shows these error messages:

Jan 23 18:43:05 HN kernel: [27469893.430615] possible SYN flooding on port
8000. Sending cookies.
Jan 23 21:37:40 HN kernel: [27480362.817944] possible SYN flooding on port
8000. Sending cookies.
Jan 23 23:43:50 HN kernel: [27487929.582025] possible SYN flooding on port
8000. Sending cookies.
Jan 24 00:27:34 HN kernel: [27490551.695794] possible SYN flooding on port
8000. Sending cookies.
Jan 24 07:45:04 HN kernel: [27516789.113919] possible SYN flooding on port
8000. Sending cookies.
Jan 24 13:11:31 HN kernel: [27536366.011845] possible SYN flooding on port
8000. Sending cookies.

The site below advises:

"This message can come a from a SYN
DDOS<http://en.wikipedia.org/wiki/SYN_flood>,
but in our case it was because of the amount of new connections one of our
application was receiving. The syslog message is emitted when the SYN
backlog of a socket is full."

http://blog.dubbelboer.com/2012/04/09/syn-cookies.html

Furthermore:


"While you see SYN flood warnings in logs not being really flooded,
your server is seriously misconfigured."

*A potential fix* - increase the net.ipv4.tcp_max_syn_backlog kernel
parameter. Or tune some more parameters like tcp_synack_retries and
netdev_max_backlog

*My question *- to fix this SYN flooding problem should I modify
net.ipv4.tcp_max_syn_backlog, net.core.somaxconn and the backlog size
passed to the listen() syscall or might there be an alternative easier fix
such as installing
2.3.3-kh9<https://github.com/karlheyes/icecast-kh/archive/icecast-2.3.3-kh9.tar.gz>
?

Potentially relevant information:

[root at VM ~]# icecast -v
Icecast 2.3.3

[root at HN ~]# uname -r
2.6.32-042stab057.1

[root at HN ~]# cat /etc/redhat-release
CentOS release 6.3 (Final)

In advance, many thanks for your advice and best regards

Chip Scooter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20140124/90390d91/attachment.htm>


More information about the Icecast mailing list