Error: possible SYN flooding

[Lasse Karstensen]

On Mon, Aug 12, 2013 at 08:25:44PM +0000, Maximilian Herrmann wrote:
> i`m currently having issues with my Varnish load balancers. For some users, the access to our site is very slow, for others it isn`t reachable.
> I`ve observed something strange at the dmesg-Logfile, it is saying "possible SYN flooding on port 80. Sending cookies." about every 20 minutes. I don`t think that this is a real SYN flood, as this is some very high traffic system.
> The system is running at CentOS 6.3, we`re using Varnish 3.0.4 (from rpm).

>From what I gathered last time I looked into this for a customer, you need to
increase netdev_max_backlog to avoid the synflood message in dmesg.

You can see with netstat -s if your syncookies are in fact returned from the
client, which hints on whether you are being synflooded or not.


> We have optimized the following kernel parameters already:
> /proc/sys/net/ipv4/tcp_tw_reuse (now set to 1)
> /proc/sys/net/ipv4/tcp_tw_recycle (now set to 1)
> /proc/sys/net/ipv4/tcp_fin_timeout (now set to 30)
> /proc/sys/net/ipv4/tcp_keepalive_intvl (now set to 40)
> /proc/sys/net/ipv4/tcp_keepalive_time (now set to 1800)
> /proc/sys/net/ipv4/tcp_syn_retries (not set to 2)
> /proc/sys/net/ipv4/tcp_synack_retries (now set to 2)
> /proc/sys/net/ipv4/tcp_no_metrics_save (now set to 1)
> /proc/sys/net/ipv4/tcp_rmem (now 4096   87380   16777216)
> /proc/sys/net/core/wmem_max (now 16777216)
> /proc/sys/net/core/rmem_max (now 16777216)
> /proc/sys/net/ipv4/tcp_max_syn_backlog (now 4096)
> /proc/sys/net/ipv4/tcp_max_syn_backlog (now 4096)
> /proc/sys/net/core/netdev_max_backlog (now 5000)
> /proc/sys/net/ipv4/ip_local_port_range (now 1024 65536)


I'd recommend keeping TCP stack tuning to a minimum.

tcp_tw_recycle is dangerous. Don't enable it.

At least you should be sure you understand what each setting means before
changing it. Please don't just copy something from a blog somewhere.


-- 
With regards,
Lasse Karstensen
Varnish Software AS