nginx slow for no reason
Maxim Dounin
mdounin at mdounin.ru
Mon Aug 8 14:33:34 UTC 2011
Hello!
On Mon, Aug 08, 2011 at 09:41:06AM -0400, Marki555 wrote:
> Do you think it can be a synflood attack? I can see it only during peak
> hours, if it would be attack, I would expect it to be nonstop. If it
> would be synflood, how would nginx handle it? SYN_RECV means that kernel
> has received the initial SYN packet, but the userspace (nginx) didn't
> reply with SYN+ACK yet. But from strace it seems that nginx is not
> receiving those connections...
You understanding of how tcp stack works isn't really correct.
Userland (and nginx) will see connection once it's ESTABLISHED.
Connections in SYN_RECV state are sitting in kernel (traditionally
in listen socket's incomplete queue, on modern OSes likely in
syncache or something like it) and userland won't be able to
accept() them.
> Every request is from different IP (as it's ad-tracking I have more than
> 3 milions diff. IPs per day). Here is output:
I suggest most likely cause is network problems: packets are lost
somewhere in transit, and that's why you see many incomplete
connections.
Maxim Dounin
More information about the nginx
mailing list