http://serverfault.com/questions/294209/possible-syn-flooding-in-log-despite... On Thu, Jun 6, 2013 at 7:24 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
Set up a rotary pcap on the interface then put an alarm around your syslog. Stop the packet capture when your alarm fires and analyse the pcap files. Something along the lines of: Shell 1: tcpdump -C 100 -i ethX -s0 -w sample.pcap -W 5
Shell 2: while true; do tail -n 100 /var/log/syslog | grep max_syn_backlog && pkill tcpdump; done
On Thu, Jun 6, 2013 at 5:31 PM, Simon Mburu <sgatonye@gmail.com> wrote:
Hello Skunks,
I am having an issue with SYN flooding on a Sigtran USSD gateway. I keep getting the following message "Jun 6 18:20:09 ussd kernel: possible SYN flooding on port 5420. Sending cookies." thus making connection/listening to port 5420 impossible.
I have tried increasing the the tcp_max_syn_backlog to 4096, 5012 and 65536 but to no avail. My sysctl -p looks like the below
net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.rp_filter = 1 fs.inotify.max_user_watches = 65536
My netstat -tuna | grep SYN never shows entries more than 12.
I have also noted that once i stop the gateway, the SYN flooding is no longer there thus removing the fear of outside attacks.
What could my problem/solution. NB: I am trying to avoid solutions that will mean I have to recompile my kernel.
Kind Regards, Frustrated Simon
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke