Добрый день.
Синкуки - сервер доступен в интернете напрямую, syn flood на tcp/80
периодически случался.
Судя по dmesg синкуки активируются только на 80 порт. Поптался под
нагрузкой отключить синкуки - не помогло.
# netstat -s
Ip:
680437848 total packets received
0 forwarded
5 with unknown protocol
0 incoming packets discarded
680434468 incoming packets delivered
1777159635 requests sent out
363 fragments dropped after timeout
5485 reassemblies required
2406 packets reassembled ok
365 packet reassembles failed
4 fragments failed
Icmp:
592365 ICMP messages received
1623 input ICMP message failed.
ICMP input histogram:
destination unreachable: 439442
timeout in transit: 29851
wrong parameters: 1
source quenches: 173
redirects: 3594
echo requests: 117976
144005 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 25816
time exceeded: 213
echo replies: 117976
IcmpMsg:
InType3: 439442
InType4: 173
InType5: 3594
InType8: 117976
InType11: 29851
InType12: 1
OutType0: 117976
OutType3: 25816
OutType11: 213
Tcp:
335720334 active connections openings
475986193 passive connection openings
611418 failed connection attempts
2948223 connection resets received
12328 connections established
680146150 segments received
1976798623 segments send out
80770653 segments retransmited
2023767 bad segments received.
9920587 resets sent
Udp:
14213 packets received
26382 packets to unknown port received.
0 packet receive errors
14259 packets sent
UdpLite:
TcpExt:
27465459 SYN cookies sent
33796620 SYN cookies received
7975762 invalid SYN cookies received
389136 resets received for embryonic SYN_RECV sockets
811 ICMP packets dropped because they were out-of-window
247 ICMP packets dropped because socket was locked
228252760 TCP sockets finished time wait in fast timer
4728737 time wait sockets recycled by time stamp
1520033 packets rejects in established connections because of timestamp
651613807 delayed acks sent
153290 delayed acks further delayed because of locked socket
Quick ack mode was activated 15636235 times
15720991 times the listen queue of a socket overflowed
15720991 SYNs to LISTEN sockets dropped
3361873905 packets directly queued to recvmsg prequeue.
2698661925 bytes directly in process context from backlog
2362850595 bytes directly received in process context from prequeue
1310810975 packet headers predicted
2376025214 packets header predicted and directly queued to user
2168271888 acknowledgments not containing data payload received
3603412648 predicted acknowledgments
4468 times recovered from packet loss due to fast retransmit
751825 times recovered from packet loss by selective acknowledgements
1614 bad SACK blocks received
Detected reordering 18406 times using FACK
Detected reordering 11064 times using SACK
Detected reordering 150 times using reno fast retransmit
Detected reordering 9035 times using time stamp
18658 congestion windows fully recovered without slow start
27425 congestion windows partially recovered using Hoe heuristic
10709583 congestion windows recovered without slow start by DSACK
15517441 congestion windows recovered without slow start after partial
ack
1346870 TCP data loss events
TCPLostRetransmit: 171181
6511 timeouts after reno fast retransmit
1538949 timeouts after SACK recovery
246600 timeouts in loss state
2233810 fast retransmits
322817 forward retransmits
2790644 retransmits in slow start
54282107 other TCP timeouts
1051 classic Reno fast retransmits failed
106611 SACK retransmits failed
15829915 DSACKs sent for old packets
1240 DSACKs sent for out of order packets
17886120 DSACKs received
8409 DSACKs for out of order packets received
951323 connections reset due to unexpected data
32014 connections reset due to early user close
921618 connections aborted due to timeout
TCPSACKDiscard: 4123
TCPDSACKIgnoredOld: 265129
TCPDSACKIgnoredNoUndo: 1883713
TCPSpuriousRTOs: 8944
TCPSackShifted: 1957011
TCPSackMerged: 2434447
TCPSackShiftFallback: 9448212
TCPBacklogDrop: 155
TCPReqQFullDoCookies: 35379950
TCPReqQFullDrop: 643501
TCPChallengeACK: 1778474
TCPSYNChallenge: 2068557
IpExt:
InBcastPkts: 24
InOctets: -648479550
OutOctets: -338174407
InBcastOctets: 10352
# ss -s
Total: 17098 (kernel 17789)
TCP: 123227 (estab 12438, closed 105609, orphaned 601, synrecv 0,
timewait 105609/0), ports 10570
Transport Total IP IPv6
* 17789 - -
RAW 0 0 0
UDP 9 5 4
TCP 17618 17616 2
INET 17627 17621 6
FRAG 0 0 0
2013/11/26 Andrey Melnikoff <temnota+n...@kmv.ru>
> Bogdan <bog...@gmail.com> wrote:
> > [-- text/plain, кодировка base64, кодировка: KOI8-R, 34 строк --]
>
> > Добрый вечер.
>
> > Бэклог в php-fpm я отключил в силу того, что не был полностью уверен,
> идёт
> > ли речь о tcp-бэклоге, либо просто о некой внутренней очереди.
> > Параметры sysctl (сверх стандартных) следующие:
>
> > net.core.rmem_default=16777216
> > net.core.netdev_max_backlog=262144
> > net.core.somaxconn=262144
> > net.ipv4.tcp_syncookies=1
> ^^^^^^^ Это то зачем ???
> > net.ipv4.tcp_max_orphans=262144
> > net.ipv4.tcp_max_syn_backlog=262144^M
> > net.ipv4.ip_local_port_range=1024 65535
> > net.ipv4.tcp_tw_reuse=1
>
> netstat -s покажи
>
>
> --
> To UNSUBSCRIBE, email to debian-russian-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive: http://lists.debian.org/6e5ema-48h....@woofie.cef.spbstu.ru
>
>
--
WBR, Bogdan B. Rudas
