You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rallavagu <ra...@gmail.com> on 2016/05/02 21:20:03 UTC
Tomcat accept count tuning
Tomcat 7.0.47 running on Linux
I have started investigating after noticing following messages from
"dmesg" output on a production server.
"possible SYN flooding on port 28080. Sending cookies."
Started looking into this as the connections to this server are timing
out (Connect Timeout errors). Upon further investigation, it appears to
me that Linux's kernel maintain two different queues one for SYN and one
for ESTABLISHED/accept connections. Both are determined by following
parameters.
$ cat /proc/sys/net/ipv4/tcp_max_syn_backlog
2048
$ cat /proc/sys/net/core/somaxconn
128
Also, it appears that the second parameter (accept count) is determined
by the application. For tomcat it defaults to 100. As per this document
- http://blog.dubbelboer.com/2012/04/09/syn-cookies.html above two
parameters could be tuned to increase the accepted connections.
Wondering if Tomcat's "acceptCount"
(http://tomcat.apache.org/tomcat-7.0-doc/config/http.html) parameter is
related to "somaxconn" for tuning.
Thanks in advance for your comments.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat accept count tuning
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rallavagu,
On 5/2/16 3:20 PM, Rallavagu wrote:
> Tomcat 7.0.47 running on Linux
Upgrade, dude. Disclosed vulnerabilities are available for your
version of Tomcat.
> I have started investigating after noticing following messages
> from "dmesg" output on a production server.
>
> "possible SYN flooding on port 28080. Sending cookies."
>
> Started looking into this as the connections to this server are
> timing out (Connect Timeout errors). Upon further investigation, it
> appears to me that Linux's kernel maintain two different queues one
> for SYN and one for ESTABLISHED/accept connections.
UNIX sockets don't have an "accept" backlog at all for ESTABLISHED
connections. "accept" is a queue where connections are put when the
kernel has accepted the connection, but the application has not. Once
the application accepts the connection, it's no longer in the "accept"
queue.
> Both are determined by following parameters.
>
> $ cat /proc/sys/net/ipv4/tcp_max_syn_backlog 2048
>
> $ cat /proc/sys/net/core/somaxconn 128
There are two separate backlogs, but they don't correspond to what you
said above.
> Also, it appears that the second parameter (accept count) is
> determined by the application.
Correct, somewhat. See below.
> For tomcat it defaults to 100. As per this document -
> http://blog.dubbelboer.com/2012/04/09/syn-cookies.html above two
> parameters could be tuned to increase the accepted connections.
> Wondering if Tomcat's "acceptCount"
> (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html)
> parameter is related to "somaxconn" for tuning.
Oddly enough, the kernel has a backlog that the application CANNOT
control. If the application requests a backlog, it will be separate
from the kernel's backlog.
There is nothing you can do at the Tomcat/Java/application level to
avoid a SYN attack. If you are getting a SYN attack, then you need to
increase your SYN backlog, or tweak some of the TCP handshake timeouts
to eliminate connections that aren't actually doing anything.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlcqKfQACgkQ9CaO5/Lv0PDhjwCeJgeQaP9+SyQAQlJyUtOsIgSa
sPAAoJ69oV3qiPJxk8k37ZeCtLVyyEbE
=O3GA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org