[httperf] Re: TCP: Possible SYN flooding on port 80. Sending cookies. Check SNMP counters.

david at lang.hm david at lang.hm
Mon Oct 29 12:16:48 PST 2012


On Mon, 29 Oct 2012, Vikash Kumar wrote:

> Hi all,
>
>   I am getting this message in the dmesg of my *haproxy host m/c.*
>
>   *Possible SYN flooding on port 80. Sending cookies. Check SNMP counters.*
>
>   I am using three node setup for my experiment , communication between
> client and server is done via *haproxy. *One solution is to disable
> *nf_conntrack
> *module. But I need it enable for my experiment.
>
>  I am experimenting with high connection rate and large total no of
> connection.
>
>  Is their a solution for this ? Can we disable conntrack module without
> disabling NAT in my system ?

It depends on what type of NAT you are using. If you are using a 1:1 NAT, 
you coudl disable conntrack, but if you are using MASQUERADING you need 
conntrack.

sending SYN cookies just means that you have a large number of 
connections, and so the kernel is taking actions to protect itself from a 
DOS attack. Legitimate connections will continue to get through, but it 
will eat a more CPU.

you can disable SYN cookies (echo 0 >/proc/sys/net/ipv4/tcpsyncookies).

you can change the threshold that triggers them (I'm not sure how)

unless you are running out of CPU, or your sending machines don't handle 
syn cookies in their networking stacks, syn cookies are not the cause of 
your problem.

David Lang
-------------- next part --------------
_______________________________________________
httperf mailing list
httperf at linux.hpl.hp.com
http://www.hpl.hp.com/hosted/linux/mail-archives/httperf/


More information about the httperf mailing list