what does “possible SYN flooding on port 8009. Sending cookies” mean in /var/log/messages?
Question
I have a web application setup apache+mod_jk+tomcat(connector for mod_jk on 8009 port). Recently my app started to hang few times a day and in /var/logs/messages there are entries like "possible SYN flooding on port 8009. Sending cookies" with 30-60 seconds. I have to restart each time when the app hangs.
Is it DDOS attack ? or system/application errors can cause this problem ?
Any help would be highly appreciated.
Thanks.
Solution
This article about tcp_syncookies might help explain the problem.
Someone or something is sending SYN packets to your application. It might be a legit client that does not receive the ACK cookie (is your application working?), or it might be someone malevolent (is it distributed or not).
OTHER TIPS
First off, I had a look at the existing rules
iptables -L -v
This shows you the rules and the default policy that are set in the existing chains - INPUT, FORWARD and OUTPUT.
Then I followed these quick steps -
- Create a new chain and name it, say, DDOS_SYNFLOOD,
iptables -N DDOS_SYNFLOOD
- Add a limit to no.of packets 15 per second with a max burst of about 20, by using the limit module -
iptables -A DDOS_SYNFLOOD -m limit --limit 15/second --limit-burst 20 -j ACCEPT
Note: Other units - /minute , /hour , and /day
- And of course, we will need to drop packets which exceed the above limitation
iptables -A DDOS_SYNFLOOD -j DROP
- Now all that was left was to "jump" to this new chain for incoming tcp syn packets on port 80.
iptables -A INPUT -p tcp --syn --dport http -j DDOS_SYNFLOOD
And to look at what was set up -