possible SYN flooding on port 80. Sending cookies.
Борис Долгов
boris at dolgov.name
Thu Mar 13 14:11:24 MSK 2008
Нет,
дело не в nginx, это опция ядра, SYN COOKIES.
При SYN-флуде начинает "метить" клиентов, и не пропускает левые соединения.
Для отключения - echo 0 > /proc/sys/net/ipv4/tcp_syncookies
Но, возможно, на Ваш сервер правда флуд идет :)
13.03.08, Anton Bogdanovitch <poison.box at gmail.com> написал(а):
>
> На сервере установлен nginx/0.5.26 + php-cgi 5.2.5 через fastcgi.
> Нагрузка ~ 4000 уникальных посетителей в час.
> В /var/log/messages каждые 10-20 минут появляется сообщение
> kernel: possible SYN flooding on port 80. Sending cookies.
>
> netstat -n -p|grep SYN_REC | wc -l
> показывает от 30 до 250 соединений SYN_REC, причем если соединений
> больше 100, то 80 из них - это один ip, потом он исчезает, появляется
> другой ip, и так далее.
>
> Раз в сутки сервер стабильно виснет, не оставляя ничего в логах, кроме
> possible SYN flooding on port 80. Sending cookies. Так, что админам
> приходится ребутить руками. В рабочее время нагрузка на нем почти ноль.
>
> Может ли причиной быть кривая конфигурация/баг в nginx? (конфиг в аттаче)
>
> Типичный случай:
> netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 122.50.182.117
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 70.245.13.128
> 75.57.133.196
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 70.245.13.128
> 60.50.160.90
> 60.50.160.90
> 72.234.1.154
> 60.50.160.90
> 60.50.160.90
> 24.99.246.104
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 72.234.1.154
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 72.234.1.154
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 72.234.1.154
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 72.234.1.154
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 72.234.1.154
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 72.234.1.154
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 72.234.1.154
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 24.99.246.104
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 70.245.13.128
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 24.99.246.104
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 70.245.13.128
> 60.50.160.90
> 60.50.160.90
> 70.245.13.128
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 60.50.160.90
> 70.245.13.128
>
>
> user nginx;
> worker_processes 4;
>
> #error_log /var/log/nginx/error.log;
> error_log /var/log/nginx/error.log notice;
> #error_log /var/log/nginx/error.log info;
>
> pid /var/run/nginx.pid;
>
>
> events {
> worker_connections 2048;
> }
>
>
> http {
> include /etc/nginx/mime.types;
> default_type application/octet-stream;
>
> log_format main '$remote_addr - $remote_user [$time_local] $request
> '
> '"$status" $body_bytes_sent "$http_referer" '
> '"$http_user_agent" "$http_x_forwarded_for"';
>
> access_log /var/log/nginx/access.log main;
>
> sendfile on;
> #tcp_nopush on;
>
> #keepalive_timeout 0;
> keepalive_timeout 65;
>
> server_names_hash_bucket_size 64;
>
> #gzip on;
>
>
> server {
> listen 80;
> server_name somedomain.com;
>
> #access_log /var/www/somedomain.com/log/access main;
> access_log /var/www/somedomain.com/log/access main;
> error_log /var/www/somedomain.com/log/error notice;
>
> root /var/www/somedomain.com/data;
> index index.php;
>
>
> location ~ /\.ht {
> deny all;
> }
>
>
> location ~* ^.+\.(class|inc)$ {
> deny all;
> }
>
> location ~* ^\/(\d+)\/(\d+)\/(.+)$ {
> rewrite ^\/(\d+)\/(\d+)\/(.+)$ /$3?$args last;
> break;
> }
>
> location ~* ^\/(\d+)\/(\d+)\/?$ {
> rewrite ^\/(\d+)\/(\d+)\/?$
> /index.php?page=$1&aff=$2&$args last;
> break;
> }
>
> location ~* ^.+\.php$ {
>
> fastcgi_pass unix:/tmp/php-fcgi.sock;
> fastcgi_index index.php;
>
> include /etc/nginx/fastcgi.conf;
> }
>
>
> location / {
> if (!-e $request_filename) {
>
> rewrite ^(.*)$ /index.php?request_uri=$1 last;
> break;
> }
> }
> }
>
>
>
> }
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx-ru/attachments/20080313/7c0b3bbb/attachment.html>
More information about the nginx-ru
mailing list