[squid-users] possible SYN flooding on port 3128. Sending cookies

From: Khemara Lyn <lin.kh_at_wicam.com.kh>
Date: Fri, 04 Jun 2010 11:51:59 +0700

Dear All,

I could see a lot of instances of the following message in the system
log of Fedora 12 running Squid-2.7STABLE9:

"Jun 4 11:11:39 cache kernel: possible SYN flooding on port 3128.
Sending cookies."

Is the system really under SYN flood attack?

I tried running this command:

netstat -nat | grep "ESTABLISHED" | awk '$3>10000 {print $3 " " $5 " "
$6;}' | sort -n

and saw that some users are using so many ESTABLISHED connections such
as below:
...
70800 202.79.27.22:59085 ESTABLISHED
75016 202.79.27.22:59853 ESTABLISHED
75024 202.79.27.22:59971 ESTABLISHED
77632 202.79.27.22:63075 ESTABLISHED
87568 202.79.27.22:61407 ESTABLISHED
89384 202.79.27.22:59511 ESTABLISHED
92152 202.79.26.194:1591 ESTABLISHED
92376 202.79.27.22:61169 ESTABLISHED
99144 202.79.27.22:63753 ESTABLISHED
104120 119.15.94.182:28632 ESTABLISHED
...

I'm running this Squid box for an ISP of around 250 users.

Is it safe to ignore this? Despite those the message in the log, Squid
seems to run fine. Is there any tweak to get rid of the message?

Thanks in advance for any comments.

Regards,
Khem
Received on Fri Jun 04 2010 - 04:52:17 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 04 2010 - 12:00:04 MDT