Author Topic: TCP SYN queue of the kernel was full and sent SYN cookies  (Read 6751 times)

0 Members and 1 Guest are viewing this topic.

Offline
***
TCP SYN queue of the kernel was full and sent SYN cookies
« on: June 06, 2019, 08:09:52 PM »
I got the following error from Netdata...

Quote
netdata notification
host1.fqdn recovered
ip.tcp_syn_queue CHART
1m tcp syn queue cookies (was warning for 1 minute and 10 seconds)
the number of times the TCP SYN queue of the kernel was full and sent SYN cookies, during the last minute ALARM
tcp FAMILY
Recovered from WARNING SEVERITY
Fri Jun 7 02:59:12 ST 2019
(was warning for 1 minute and 10 seconds) TIME
$this > 0 EVALUATED EXPRESSION
[ $this = 0 ] EXPRESSION VARIABLES
The host has 0 WARNING and 0 CRITICAL alarm(s) raised.
View Netdata

The source of this alarm is line 70@/usr/lib/netdata/conf.d/health.d/tcp_listen.conf
(alarms are configurable, edit this file to adapt the alarm to your needs)
Sent by netdata, the real-time performance and health monitoring, on host.fqdn.

And i note the following in /usr/lib/netdata/conf.d/health.d/tcp_listen.conf...

Quote
# SYN queue
# The SYN queue tracks TCP handshakes until connections are fully established.
# It overflows when too many incoming TCP connection requests hang in the
# half-open state and the server is not configured to fall back to SYN cookies.
# Overflows are usually caused by SYN flood DoS attacks (i.e. someone sends
# lots of SYN packets and never completes the handshakes).


So do i need to enable "fall back to SYN cookies"?

Can i add the following in /etc/sysctl.d/99-sysctl.conf

net.ipv4.tcp_syncookies = 1

Then i have done the following...
sysctl.d]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.tcp_syncookies = 1


Is this the right place to add this?
Will it work against possible dos flood attack on CWP?
How do i tell if it is in fact that kind of attack...ie how do i test this?



« Last Edit: June 06, 2019, 08:22:00 PM by adamjedgar »

Offline
*****
Re: TCP SYN queue of the kernel was full and sent SYN cookies
« Reply #1 on: June 14, 2019, 10:33:40 AM »
You can add that in /etc/sysctl.conf or /etc/sysctl.d/99-sysctl.conf . In the first case "net.ipv4.tcp_syncookies = 1" will be set before Netdata started. In the second one - do not sure
You can ask me to solve any problem with your server for some money in pm  ;)
Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor
Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp

Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services