How can I get >100 connections in FIN_WAIT_2 state from the same IP?

Michael Powell nightrecon at
Tue Oct 13 21:51:35 UTC 2009

Chuck Swiger wrote:

> On Oct 13, 2009, at 10:33 AM, Martin Turgeon wrote:
>> I would like to know if anyone knows the reason why I get a lot of
>> connections (more than 100) from the same IP in FIN_WAIT_2 state.
> That IP is probably running a web proxy or possibly some kind of
> spider.  It could also be malicious, trying to exploit webserver
> vulnerabilities, etc-- search your logs for that IP and see what it is
> doing.
>> In this case the connections are on port 80. Is it a problem with the
>> client's browser or OS? Is it possible that some mobile devices
>> doesn't
>> close their connections correctly to save bandwidth and battery?
> Yes, it's not uncommon for various platforms to simply drop
> connections rather than closing them properly.  You can run tcpdrop to
> forcibly get rid of them, but they should time out within a few
> minutes anyway.  If you believe the remote IP is being abusive,
> consider firewalling it....

This is also common from the differences in TCP/IP stacks across various 
platforms. Windows, Linux, Solaris, etc are all slightly different in this 

If you're running a web server you can set the following in /etc/sysctl.conf 
in an attempt to mitigate. Don't know if the timeout period can be altered.


This won't stop it from happening but it will trim the pool down some.


More information about the freebsd-questions mailing list