nginx slow for no reason

Maxim Dounin mdounin at
Mon Aug 8 14:33:34 UTC 2011


On Mon, Aug 08, 2011 at 09:41:06AM -0400, Marki555 wrote:

> Do you think it can be a synflood attack? I can see it only during peak
> hours, if it would be attack, I would expect it to be nonstop. If it
> would be synflood, how would nginx handle it? SYN_RECV means that kernel
> has received the initial SYN packet, but the userspace (nginx) didn't
> reply with SYN+ACK yet. But from strace it seems that nginx is not
> receiving those connections...

You understanding of how tcp stack works isn't really correct.  
Userland (and nginx) will see connection once it's ESTABLISHED.  
Connections in SYN_RECV state are sitting in kernel (traditionally 
in listen socket's incomplete queue, on modern OSes likely in 
syncache or something like it) and userland won't be able to 
accept() them.

> Every request is from different IP (as it's ad-tracking I have more than
> 3 milions diff. IPs per day). Here is output:

I suggest most likely cause is network problems: packets are lost 
somewhere in transit, and that's why you see many incomplete 

Maxim Dounin

More information about the nginx mailing list