Re: Help with DOS attack

["Jonny K" <mrjk600@xxxxxxxxx>]

> it looks like someone dos attack my server
> any ideas how i can handle it ?
>
> (i allready sysctl and change the backlog queue to 4096 insted of 1024   and i mange SYN timeout to 9 sec)
>
> any other ideas ?
>
>
> here is my netstat outputs
>
>
> [root@MYHOST ~]# netstat -an | grep SYN_REC  | wc
>     372    2232   33108
> [root@MYHOST ~]#
>
>
>
>
> Ip:
>     496709034 total packets received
>     0 forwarded
>
>     0 incoming packets discarded
>     496547054 incoming packets delivered
>     389034562 requests sent out
>     55 fragments dropped after timeout
>     499 reassemblies required
>     54 packets reassembled ok
>
>     55 packet reassembles failed
>     2 fragments received ok
> Icmp:
>     17083 ICMP messages received
>     25 input ICMP message failed.
>     ICMP input histogram:
>         destination unreachable: 11255
>
>         timeout in transit: 1579
>         source quenches: 353
>         echo requests: 3880
>         echo replies: 16
>     24339 ICMP messages sent
>     0 ICMP messages failed
>     ICMP output histogram:
>         destination unreachable: 20459
>
>         echo replies: 3880
> Tcp:
>     33725 active connections openings
>     38693945 passive connection openings
>     312156 failed connection attempts
>     521243 connection resets received
>     3 connections established
>
>     495811236 segments received
>     388303537 segments send out
>     14565173 segments retransmited
>     10279 bad segments received.
>     136512 resets sent
> Udp:
>     718164 packets received
>     571 packets to unknown port received.
>
>     0 packet receive errors
>     720360 packets sent
> TcpExt:
>     421 SYN cookies sent
>     99 SYN cookies received
>     43807 invalid SYN cookies received
>     1188232 resets received for embryonic SYN_RECV sockets
>
>     14 packets pruned from receive queue because of socket buffer overrun
>     221 ICMP packets dropped because they were out-of-window
>     71 ICMP packets dropped because socket was locked
>     34829434 TCP sockets finished time wait in fast timer
>
>     2 time wait sockets recycled by time stamp
>     15358 packets rejects in established connections because of timestamp
>     256833 delayed acks sent
>     2653 delayed acks further delayed because of locked socket
>
>     Quick ack mode was activated 119773 times
>     74580 times the listen queue of a socket overflowed
>     74580 SYNs to LISTEN sockets ignored
>     39205589 packets directly queued to recvmsg prequeue.
>     8376974 packets directly received from backlog
>
>     2265096902 packets directly received from prequeue
>     806823 packets header predicted
>     36687371 packets header predicted and directly queued to user
>     238781476 acknowledgments not containing data received
>
>     125709890 predicted acknowledgments
>     29275 times recovered from packet loss due to fast retransmit
>     1927589 times recovered from packet loss due to SACK data
>     1362 bad SACKs received
>     Detected reordering 6628 times using FACK
>
>     Detected reordering 4312 times using SACK
>     Detected reordering 4875 times using reno fast retransmit
>     Detected reordering 11976 times using time stamp
>     6435 congestion windows fully recovered
>
>     66640 congestion windows partially recovered using Hoe heuristic
>     TCPDSACKUndo: 957
>     16664 congestion windows recovered after partial ack
>     4188573 TCP data loss events
>     TCPLostRetransmit: 1192
>
>     5491 timeouts after reno fast retransmit
>     260050 timeouts after SACK recovery
>     200153 timeouts in loss state
>     6505780 fast retransmits
>     695080 forward retransmits
>     4881678 retransmits in slow start
>
>     1084146 other TCP timeouts
>     TCPRenoRecoveryFail: 14786
>     306771 sack retransmits failed
>     2225 times receiver scheduled too late for direct processing
>     294 packets collapsed in receive queue due to low socket buffer
>
>     121753 DSACKs sent for old packets
>     64 DSACKs sent for out of order packets
>     1007539 DSACKs received
>     1099 DSACKs for out of order packets received
>     10295 connections reset due to unexpected data
>
>     102 connections reset due to early user close
>     64688 connections aborted due to timeout