what does “possible SYN flooding on port 8009. Sending cookies” mean in /var/log/messages?

Question

I have a web application setup apache+mod_jk+tomcat(connector for mod_jk on 8009 port). Recently my app started to hang few times a day and in /var/logs/messages there are entries like "possible SYN flooding on port 8009. Sending cookies" with 30-60 seconds. I have to restart each time when the app hangs.

Is it DDOS attack ? or system/application errors can cause this problem ?

Any help would be highly appreciated.

Thanks.

Answer 1

This article about tcp_syncookies might help explain the problem.

Someone or something is sending SYN packets to your application. It might be a legit client that does not receive the ACK cookie (is your application working?), or it might be someone malevolent (is it distributed or not).

Answer 2

First off, I had a look at the existing rules

iptables -L -v

This shows you the rules and the default policy that are set in the existing chains - INPUT, FORWARD and OUTPUT.

Then I followed these quick steps -

1. Create a new chain and name it, say, DDOS_SYNFLOOD,

iptables -N DDOS_SYNFLOOD

1. Add a limit to no.of packets 15 per second with a max burst of about 20, by using the limit module -

iptables -A DDOS_SYNFLOOD -m limit --limit 15/second --limit-burst 20 -j ACCEPT

Note: Other units - /minute , /hour , and /day

1. And of course, we will need to drop packets which exceed the above limitation

iptables -A DDOS_SYNFLOOD -j DROP

1. Now all that was left was to "jump" to this new chain for incoming tcp syn packets on port 80.

iptables -A INPUT -p tcp --syn --dport http -j DDOS_SYNFLOOD

And to look at what was set up -

iptables -L -v