(TCP/IP) Server side sends RST after 3-way handshake.Syn flood
defense or queue overflow?
Vladimir Budnev
vladimir.budnev at gmail.com
Wed Jul 13 12:37:25 UTC 2011
First of all thanks for response!
It is normal for syncache entries added == completed == cookies sent, I'm
> mostly curious about anything else besides that. It is possible when using
> the syncache to have the network stack decide it can't create a connection
> until it gets to the end of the 3-way handshake due to resource limits,
> etc.
> In that case the end of the 3-way handshake will get a RST in response.
>
statistics i have:
(cutted from netstat -s -p tcp)
89514 syncache entries added
0 retransmitted
0 dupsyn
0 dropped
50220 completed
0 bucket overflow
0 cache overflow
0 reset
0 stale
39294 aborted
0 badack
0 unreach
0 zone failures
89514 cookies sent
According to your hint I see nonzero aborted field, but dont know how to get
the reason/interpret this.
> However, if your app just sends data and calls close() without doing any
> reads, it might close() succesfully while the data is in flight before the
> client machine sees the RST, so the client app will not see any errors. If
> the RST arrives before you finish calling write() and close() then you will
> get ECONNRESET errors from write() and close().
>
Hm..hope i get your idea, the difference is that client application recieve
ECONNRESET as result to _connect_ call not as result from write/read/close,
at that point i cant ignore it. I can spin/wait and try again, but that way
every N iterations when problem occures there will be this "problem". As i
mentioned(and in code example) client on every iteration makes
connect/close, and those come very fast.
Mb i misunderstood smth.
You can try turning off the syncache and syncookies as a test. This will
> probably trigger more ECONNRESET errors in connect() (which your app will
> need
> to retry on).
Spin idea...yeah it sounds friendly but i dont think sy/syn-ack/ack/rst
flood would be great:(
> However, the better fix is to track down what is causing your
> connections to be dropped in the first place, e.g. if you are hitting the
> limit on inpcbs (look for failures in vmstat -z output) and fix that.
>
# vmstat -z
ITEM SIZE LIMIT USED FREE REQUESTS
FAILURES
<...>
inpcb: 288, 25610, 6, 5155,
142849, 0
tcpcb: 728, 25600, 6, 454,
142849, 0
<...>
Those ones looks ok?
>
> --
> John Baldwin
>
More information about the freebsd-net
mailing list