Robert Blayzor wrote:
> I've been noticing a problem for quite some time now on our mirror
> server. (I posted this issue to the devel list, but there have been no
> responses).
>
> I'm noticing some buggy client behavior that seems it's from freshclam
> clients. Over time on our mirror we notice 1000's of connections can
> build up over time with clients stuck in a half-opened state. (or half-
> closed). As clam becomes more popular and traffic picks up on the
> mirrors, I notice more and more of these stuck clients. It becomes
> dangerous to the mirror at one point because if there are thousands of
> these lingering around, they can run the server out of socket space.
>
> Basically what we see happen is that when Apache closes the connection
> it will send the FIN to the client, sending it into FIN_WAIT_1, in
> which case the client should answer with a FIN+ACK, but that doesn't
> happen. The client will respond with an ACK and zero sized window.
>
Seems like a problem with the TCP stack to me. No client of normal
sockets should be abel
to do that. Do you have some device (such a firewall) in front of that
machine which could
be interfering? Could you fingerprint (p0f) from which OS come this
activity?
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
