possible SYN flooding on port 80. Sending cookies.

Anton Bogdanovitch poison.box at gmail.com
Thu Mar 13 10:54:12 MSK 2008


На сервере установлен nginx/0.5.26 + php-cgi 5.2.5 через fastcgi.
Нагрузка ~ 4000 уникальных посетителей в час.
В /var/log/messages каждые 10-20 минут появляется сообщение
kernel: possible SYN flooding on port 80. Sending cookies.

netstat -n -p|grep SYN_REC | wc -l
показывает от 30 до 250 соединений SYN_REC, причем если соединений 
больше 100, то 80 из них - это один ip, потом он исчезает, появляется 
другой ip, и так далее.

Раз в сутки сервер стабильно виснет, не оставляя ничего в логах, кроме 
possible SYN flooding on port 80. Sending cookies. Так, что админам 
приходится ребутить руками. В рабочее время нагрузка на нем почти ноль.

Может ли причиной быть кривая конфигурация/баг в nginx? (конфиг в аттаче)

Типичный случай:
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
122.50.182.117
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
70.245.13.128
75.57.133.196
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
70.245.13.128
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
24.99.246.104
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
24.99.246.104
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
70.245.13.128
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
24.99.246.104
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
70.245.13.128
60.50.160.90
60.50.160.90
70.245.13.128
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
70.245.13.128

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: config.txt
URL: <http://nginx.org/pipermail/nginx-ru/attachments/20080313/fc95d867/attachment.txt>


More information about the nginx-ru mailing list