Hi all,
Need some help to fight with syn flood attack. Anyone can give a hand?
Recently my Solaris 10 server is under SYN Flood attack. /var/adm/messages show below warning:
May 1 04:04:19 xxx ip: [ID 995438 kern.warning] WARNING: High TCP connect timeout rate! System (port xx) may be under a SYN flood attack!
Perform reserach and applied tcp stack using below:
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 4096
/usr/sbin/ndd -set /etc/tcp tcp_ip_abort_cinterval 10000
Confirmed setting is set successfully (View image: tcp ip abort cinternval) however those settings seems doesn't activated as expected. Say:
1. tcp tcp_ip_abort_cinterval 180000 --> 10000
Suposed it will drop SYNC_RCVD connection after 10 sec. However i used scheduled netstat to check the tcp connection in half-open state (SYN_RCVD) will remain stay in TCP queue for 3 min (old value).
| 11:10:33:203.a.b.c.d | w.z.y.x.41733 | 0 | 0 49232 | 0 SYN_RCVD |
| 11:13:42:203.a.b.c.d | w.z.y.x.41733 | 0 | 0 49232 | 0 SYN_RCVD |
2. tcp_conn_req_max_q0 1024 --> 4096
Supose it will increase max number of allowed half-open connection pool, however using my scheduled netstat checked the "High TCP connect timeout rate!" warning will occur but at the same time the number of concurrent SYNC_RCVD show in netstat never reach >2000
Many many thanks.
Regards,
Kenneth