Help! kernel: TCP: drop open request from xxx.xxx.xxx.xxx
This is a discussion on Help! kernel: TCP: drop open request from xxx.xxx.xxx.xxx within the Linux Networking forums, part of the Linux Forums category; I am running Red Hat 8.0 with the apache web server and all of the sudden I am getting ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-10-2004
|
|||
|
|||
Help! kernel: TCP: drop open request from xxx.xxx.xxx.xxx
I am running Red Hat 8.0 with the apache web server and all of the sudden I am getting the following errors, tons of them every second and the web server has slowed to a crawl and not responding to requests. I restarted the system and no help. Does anyone know what may be going on and how to fix the problem? The server is a Dual 1GHZ Intel system and gets a good deal of traffic, the kernel is 2.4.18-14smp from /var/log/messages .... Jun 9 19:20:33 wxserver5 kernel: NET: 992 messages suppressed. Jun 9 19:20:33 wxserver5 kernel: NET: 992 messages suppressed. Jun 9 19:20:33 wxserver5 kernel: TCP: drop open request from 148.134.65.180/2715 Jun 9 19:20:38 wxserver5 kernel: NET: 994 messages suppressed. Jun 9 19:20:38 wxserver5 kernel: NET: 994 messages suppressed. Jun 9 19:20:38 wxserver5 kernel: TCP: drop open request from 10.232.131.94/4727 Jun 9 19:20:43 wxserver5 kernel: NET: 881 messages suppressed. Jun 9 19:20:43 wxserver5 kernel: NET: 881 messages suppressed. Jun 9 19:20:43 wxserver5 kernel: TCP: drop open request from 148.134.212.54/1870 Jun 9 19:20:48 wxserver5 kernel: NET: 975 messages suppressed. Jun 9 19:20:48 wxserver5 kernel: NET: 975 messages suppressed. Jun 9 19:20:48 wxserver5 kernel: TCP: drop open request from 10.250.19.205/1584 ..... All of the sudden the errors stopped, but the traffic remains fairly high. Mike 
|
|
06-10-2004
|
|||
|
|||
|
Re: Help! kernel: TCP: drop open request from xxx.xxx.xxx.xxx
run ifconfig, whats your txqueuelen (thats the total number of packets your
network card can hold before dropping packets) ? maybe there are just too many packets comming in . Andrew ps, someone may be trying to DDoS you ... how high is your traffic ? <mdw9604@hotmail.com> wrote in message news:MPG.1b317497f6112919989680@news-server.carolina.rr.com... > > I am running Red Hat 8.0 with the apache web server and all of the sudden > I am getting the following errors, tons of them every second and the > web server has slowed to a crawl and not responding to requests. I > restarted the system and no help. Does anyone know what may be going > on and how to fix the problem? The server is a Dual 1GHZ Intel system and > gets a good deal of traffic, the kernel is 2.4.18-14smp > > from /var/log/messages > ... > Jun 9 19:20:33 wxserver5 kernel: NET: 992 messages suppressed. > Jun 9 19:20:33 wxserver5 kernel: NET: 992 messages suppressed. > Jun 9 19:20:33 wxserver5 kernel: TCP: drop open request from > 148.134.65.180/2715 > Jun 9 19:20:38 wxserver5 kernel: NET: 994 messages suppressed. > Jun 9 19:20:38 wxserver5 kernel: NET: 994 messages suppressed. > Jun 9 19:20:38 wxserver5 kernel: TCP: drop open request from > 10.232.131.94/4727 > Jun 9 19:20:43 wxserver5 kernel: NET: 881 messages suppressed. > Jun 9 19:20:43 wxserver5 kernel: NET: 881 messages suppressed. > Jun 9 19:20:43 wxserver5 kernel: TCP: drop open request from > 148.134.212.54/1870 > Jun 9 19:20:48 wxserver5 kernel: NET: 975 messages suppressed. > Jun 9 19:20:48 wxserver5 kernel: NET: 975 messages suppressed. > Jun 9 19:20:48 wxserver5 kernel: TCP: drop open request from > 10.250.19.205/1584 > .... > > All of the sudden the errors stopped, but the traffic remains fairly high. > > Mike >
|
|
06-10-2004
|
|||
|
|||
|
Re: Help! kernel: TCP: drop open request from xxx.xxx.xxx.xxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message In comp.os.linux.networking mdw9604@hotmail.com suggested: > I am running Red Hat 8.0 with the apache web server and all of the sudden > I am getting the following errors, tons of them every second and the > web server has slowed to a crawl and not responding to requests. I > restarted the system and no help. Does anyone know what may be going > on and how to fix the problem? The server is a Dual 1GHZ Intel system and > gets a good deal of traffic, the kernel is 2.4.18-14smp This is a pretty old distro kernel, probably full of bugs/security problems, double check rh errata about it. I'd first upgrade to the latest available and see if problem persist, then use 'tcpdump' to get more info what's going on. BTW RH 8.0 is already outdated and you need to make a plan for upgrading the system. Good luck -- Michael Heiming (GPG-Key ID: 0xEDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAyBUiAkPEju3Se5QRAovMAJ48iFrKRJiDyYehHLbDpt Y+FobAZACgwAl5 /Wyoyq8HScqdjRhm2VTG6xM= =rI5R -----END PGP SIGNATURE-----
|
|
06-10-2004
|
|||
|
|||
|
Re: Help! kernel: TCP: drop open request from xxx.xxx.xxx.xxx
[This followup was posted to comp.os.linux.networking and a copy was sent to the cited
author.] In article <40c7f648$1_1@news.tm.net.my>, andrew@jukenworld.com says... > run ifconfig, whats your txqueuelen (thats the total number of packets your > network card can hold before dropping packets) ? > maybe there are just too many packets comming in . Here is my iconfig dump for eth0 eth0 Link encap:Ethernet HWaddr 00:02:B3:11:BC:E9 inet addr:162.113.108.69 Bcast:162.113.108.95 Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:47938749 errors:0 dropped:0 overruns:0 frame:0 TX packets:45417541 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1039590368 (991.4 Mb) TX bytes:1865549550 (1779.1 Mb) Interrupt:18 Base address:0x5000 The server has been up for about a day, so thats the total traffic. As hopefully a stop gap method. I turned on iptables and added the following entries in hopes that it is some sort of attack this will drop the packets. This server is inside a large corporate firewall, so a purposely directed attack is unlikely. Also I noticed that kernal messages indicated it was dropping packets from everybody's IP. This may still mean a DoS attack, I don't know. If this iptables config is screwy let me know, this is what I threw together after reading some newsgroup messages. For what it's worth I have not seen any kernal drop messages today, but that doesn't mean much because they stopped before I implemented the iptables. Thanks, Mike filter :FORWARD ACCEPT [0:0] :INPUT DROP [0:0] # Allow Pings -A INPUT -p icmp -j ACCEPT # Accept these IP ranges. -A INPUT -s 127.0.0.1 -j ACCEPT # SYN flood prevention -A INPUT -p TCP --syn -m limit --limit 5/second -j ACCEPT # Allow Web Access -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # Telnet -A INPUT -p tcp -m tcp --dport 23 -j ACCEPT -A INPUT -p udp -m udp --dport 23 -j ACCEPT # FTP -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p udp -m udp --dport 21 -j ACCEPT # SSH -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 22 -j ACCEPT # LDM -A INPUT -p tcp -m tcp --dport 388 -j ACCEPT -A INPUT -p udp -m udp --dport 388 -j ACCEPT # NOAAPORT PAN MESSAGES -A INPUT -p tcp -m tcp --dport 5000 -j ACCEPT -A INPUT -p udp -m udp --dport 5000 -j ACCEPT # Additonal -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state RELATED -j ACCEPT COMMIT # Completed *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT > > Andrew > > ps, someone may be trying to DDoS you ... how high is your traffic ? > > > > <mdw9604@hotmail.com> wrote in message > news:MPG.1b317497f6112919989680@news-server.carolina.rr.com... > > > > I am running Red Hat 8.0 with the apache web server and all of the sudden > > I am getting the following errors, tons of them every second and the > > web server has slowed to a crawl and not responding to requests. I > > restarted the system and no help. Does anyone know what may be going > > on and how to fix the problem? The server is a Dual 1GHZ Intel system and > > gets a good deal of traffic, the kernel is 2.4.18-14smp > > > > from /var/log/messages > > ... > > Jun 9 19:20:33 wxserver5 kernel: NET: 992 messages suppressed. > > Jun 9 19:20:33 wxserver5 kernel: NET: 992 messages suppressed. > > Jun 9 19:20:33 wxserver5 kernel: TCP: drop open request from > > 148.134.65.180/2715 > > Jun 9 19:20:38 wxserver5 kernel: NET: 994 messages suppressed. > > Jun 9 19:20:38 wxserver5 kernel: NET: 994 messages suppressed. > > Jun 9 19:20:38 wxserver5 kernel: TCP: drop open request from > > 10.232.131.94/4727 > > Jun 9 19:20:43 wxserver5 kernel: NET: 881 messages suppressed. > > Jun 9 19:20:43 wxserver5 kernel: NET: 881 messages suppressed. > > Jun 9 19:20:43 wxserver5 kernel: TCP: drop open request from > > 148.134.212.54/1870 > > Jun 9 19:20:48 wxserver5 kernel: NET: 975 messages suppressed. > > Jun 9 19:20:48 wxserver5 kernel: NET: 975 messages suppressed. > > Jun 9 19:20:48 wxserver5 kernel: TCP: drop open request from > > 10.250.19.205/1584 > > .... > > > > All of the sudden the errors stopped, but the traffic remains fairly high. > > > > Mike > > > > >
|
Linear Mode
