TCP: Possible SYN flooding on port XXXXX. Dropping request.

foolosophy · 2011-08-05 00:51:46

Hi there.

I'm running deluge (bittorrent client) on my server and I get this message constantly on /var/log/messages:

TCP: Possible SYN flooding on port XXXXX. Dropping request.

If I change deluge's port, it's the same.
I used to receive the same message but with "Sending cookie" at the end. That is very common and has been around for a long time: http://cr.yp.to/syncookies.html
I disabled syncookies in /etc/sysctl.conf with
net.ipv4.tcp_syncookies=0

But I can't find any setting in there nor in /proc/sys/net/ipv4/ that also avoids dropping requests!

Do you know where can I change this setting?

fukawi2 · 2011-08-05 02:50:20

foolosophy wrote:

TCP: Possible SYN flooding on port XXXXX. Dropping request.

Are you sure it's the kernel doing that? Can you post an extract of the log message in context?

foolosophy · 2011-08-05 03:14:23

Yeah, I'm sure.

Aug  5 00:09:47 localhost kernel: [95203.513298] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:09:51 localhost kernel: [95207.579043] net_ratelimit: 9 callbacks suppressed
Aug  5 00:09:51 localhost kernel: [95207.579056] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:09:52 localhost kernel: [95207.790862] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:09:54 localhost kernel: [95210.220548] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:09:56 localhost kernel: [95212.420897] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:00 localhost kernel: [95215.697721] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:00 localhost kernel: [95216.097729] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:00 localhost kernel: [95216.185843] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:14 localhost kernel: [95230.395110] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:15 localhost kernel: [95230.981584] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:16 localhost kernel: [95232.342224] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:16 localhost kernel: [95232.420052] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:16 localhost kernel: [95232.420237] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:17 localhost kernel: [95232.716283] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:17 localhost kernel: [95232.739409] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:17 localhost kernel: [95233.290902] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:17 localhost kernel: [95233.382954] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:17 localhost kernel: [95233.411097] TCP: Possible SYN flooding on port 53126. Dropping request.
Aug  5 00:10:21 localhost kernel: [95236.701556] net_ratelimit: 2 callbacks suppressed
Aug  5 00:10:21 localhost kernel: [95236.701565] TCP: Possible SYN flooding on port 53126. Dropping request.

and on and on and on...

fukawi2 · 2011-08-05 06:53:33

Interesting.... I'm not sure, maybe you're filling up conntrack table or some other kernel limit?

foolosophy · 2011-08-11 01:04:11

Help please...

student975 · 2011-10-28 04:05:15

@foolosophy

Have you found a reason/solution?

@fukawi2

I met the issue without iptables - just on local ApacheBench-ing of an http server.

foolosophy · 2011-10-28 04:08:48

Nope. Still getting it. I decided to ignore it, given that Deluge is working fine anyway.

itman · 2011-10-28 06:28:19

deluge user here...

isn't it the other way around?

net.ipv4.tcp_syncookies=1

foolosophy · 2011-10-28 17:07:37

That would enable sending cookies... Instead of saying "dropping request", it would say "sending cookie".

EDIT: See http://cr.yp.to/syncookies.html

Last edited by foolosophy (2011-10-28 17:08:20)

itman · 2011-10-28 17:47:09

hmmm - anyway no "SYN flooding" messages in any log-files...

I sense a misconception here: setting

net.ipv4.tcp_syncookies=1

protects you from those.

foolosophy · 2011-10-28 18:11:26

No misconception. I just think the kernel is getting false positives; I don't think I'm being DoSed, it's just normal torrent traffic.

Leonid.I · 2011-10-28 21:36:34

@foolosophy:
Have you seen this: https://bugzilla.redhat.com/show_bug.cgi?id=734991

@all:
I am confused now regarding syncookies. Because according to

/usr/src/linux-3.0-ARCH/Documentation/networking/ip-sysctl.txt

we must have CONFIG_SYNCOOKIES=y in kernel config, but /proc/config.gz doesn't have this option.

R00KIE · 2011-10-29 13:39:41

You sure you didn't miss it?

> zgrep COOKIES /proc/config.gz 
CONFIG_SYN_COOKIES=y

Arch Linux

#1 2011-08-05 00:51:46

TCP: Possible SYN flooding on port XXXXX. Dropping request.

#2 2011-08-05 02:50:20

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

#3 2011-08-05 03:14:23

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

#4 2011-08-05 06:53:33

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

#5 2011-08-11 01:04:11

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

#6 2011-10-28 04:05:15

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

#7 2011-10-28 04:08:48

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

#8 2011-10-28 06:28:19

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

#9 2011-10-28 17:07:37

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

#10 2011-10-28 17:47:09

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

#11 2011-10-28 18:11:26

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

#12 2011-10-28 21:36:34

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

#13 2011-10-29 13:39:41

Re: TCP: Possible SYN flooding on port XXXXX. Dropping request.

Board footer