I got the following error from Netdata...
netdata notification
host1.fqdn recovered
ip.tcp_syn_queue CHART
1m tcp syn queue cookies (was warning for 1 minute and 10 seconds)
the number of times the TCP SYN queue of the kernel was full and sent SYN cookies, during the last minute ALARM
tcp FAMILY
Recovered from WARNING SEVERITY
Fri Jun 7 02:59:12 ST 2019
(was warning for 1 minute and 10 seconds) TIME
$this > 0 EVALUATED EXPRESSION
[ $this = 0 ] EXPRESSION VARIABLES
The host has 0 WARNING and 0 CRITICAL alarm(s) raised.
View Netdata
The source of this alarm is line 70@/usr/lib/netdata/conf.d/health.d/tcp_listen.conf
(alarms are configurable, edit this file to adapt the alarm to your needs)
Sent by netdata, the real-time performance and health monitoring, on host.fqdn.
And i note the following in /usr/lib/netdata/conf.d/health.d/tcp_listen.conf...
# SYN queue
# The SYN queue tracks TCP handshakes until connections are fully established.
# It overflows when too many incoming TCP connection requests hang in the
# half-open state and the server is not configured to fall back to SYN cookies.
# Overflows are usually caused by SYN flood DoS attacks (i.e. someone sends
# lots of SYN packets and never completes the handshakes).
So do i need to enable "fall back to SYN cookies"?
Can i add the following in /etc/sysctl.d/99-sysctl.conf
net.ipv4.tcp_syncookies = 1
Then i have done the following...
sysctl.d]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.tcp_syncookies = 1
Is this the right place to add this?
Will it work against possible dos flood attack on CWP?
How do i tell if it is in fact that kind of attack...ie how do i test this?