Tomcat accept count tuning

[Rallavagu <ra...@gmail.com>]

Tomcat 7.0.47 running on Linux

I have started investigating after noticing following messages from 
"dmesg" output on a production server.


"possible SYN flooding on port 28080. Sending cookies."

Started looking into this as the connections to this server are timing 
out (Connect Timeout errors). Upon further investigation, it appears to 
me that Linux's kernel maintain two different queues one for SYN and one 
for ESTABLISHED/accept connections. Both are determined by following 
parameters.

$ cat /proc/sys/net/ipv4/tcp_max_syn_backlog
2048

$ cat /proc/sys/net/core/somaxconn
128

Also, it appears that the second parameter (accept count) is determined 
by the application. For tomcat it defaults to 100. As per this document 
- http://blog.dubbelboer.com/2012/04/09/syn-cookies.html above two 
parameters could be tuned to increase the accepted connections. 
Wondering if Tomcat's "acceptCount" 
(http://tomcat.apache.org/tomcat-7.0-doc/config/http.html) parameter is 
related to "somaxconn" for tuning.

Thanks in advance for your comments.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat accept count tuning

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rallavagu,

On 5/2/16 3:20 PM, Rallavagu wrote:
> Tomcat 7.0.47 running on Linux

Upgrade, dude. Disclosed vulnerabilities are available for your
version of Tomcat.

> I have started investigating after noticing following messages
> from "dmesg" output on a production server.
> 
> "possible SYN flooding on port 28080. Sending cookies."
> 
> Started looking into this as the connections to this server are
> timing out (Connect Timeout errors). Upon further investigation, it
> appears to me that Linux's kernel maintain two different queues one
> for SYN and one for ESTABLISHED/accept connections.

UNIX sockets don't have an "accept" backlog at all for ESTABLISHED
connections. "accept" is a queue where connections are put when the
kernel has accepted the connection, but the application has not. Once
the application accepts the connection, it's no longer in the "accept"
queue.

> Both are determined by following parameters.
> 
> $ cat /proc/sys/net/ipv4/tcp_max_syn_backlog 2048
> 
> $ cat /proc/sys/net/core/somaxconn 128

There are two separate backlogs, but they don't correspond to what you
said above.

> Also, it appears that the second parameter (accept count) is
> determined by the application.

Correct, somewhat. See below.

> For tomcat it defaults to 100. As per this document -
> http://blog.dubbelboer.com/2012/04/09/syn-cookies.html above two 
> parameters could be tuned to increase the accepted connections. 
> Wondering if Tomcat's "acceptCount" 
> (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html)
> parameter is related to "somaxconn" for tuning.

Oddly enough, the kernel has a backlog that the application CANNOT
control. If the application requests a backlog, it will be separate
from the kernel's backlog.

There is nothing you can do at the Tomcat/Java/application level to
avoid a SYN attack. If you are getting a SYN attack, then you need to
increase your SYN backlog, or tweak some of the TCP handshake timeouts
to eliminate connections that aren't actually doing anything.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcqKfQACgkQ9CaO5/Lv0PDhjwCeJgeQaP9+SyQAQlJyUtOsIgSa
sPAAoJ69oV3qiPJxk8k37ZeCtLVyyEbE
=O3GA
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org