Duplicate sockets staying at the SYN_RECV state
Andy Chan
I am running a Apache server on Linux 2.2.17. I continuously send
static HTTP requests without Keep-alive from one client to the server,
making around 3000 connections/s with a file size of ~1 Kbyte. The
local port range on the client is set to 1024-65535. After around 20
seconds, all the ports on the client is used up and I started to see
messages like "Address already in use".
The thing I don't understand is that on the server side, I am seeing
a lot of sockets staying in the SYN_RECV state, and some of these are
duplicates. Under what circumstances can same socket pairs remain in
the SYN_RECV state simultaneously? The following is part of the
'netstat -na' output. The number of connections eventually reach 128
(backlog) and the server is stuck until the SYN_RECV's are gone.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 192.168.11.101:1844 192.168.11.101:1779
TIME_WAIT
tcp 0 0 192.168.11.101:1843 192.168.11.101:1772
TIME_WAIT
tcp 0 0 192.168.11.101:1842 192.168.11.101:1773
TIME_WAIT
tcp 0 0 192.168.11.101:513 192.168.11.203:1021
ESTABLISHED
tcp 0 0 192.168.11.171:80 192.168.11.203:33866
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:33866
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:17589
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:17592
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:17591
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:18422
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:18434
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:21527
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:22979
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:25546
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:26302
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:26301
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:26303
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:26322
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:26321
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:33866
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:17589
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:17591
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:17592
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:18422
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:18434
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:21527
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:22979
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:25546
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:26301
SYN_RECV
tcp 0 0 192.168.11.171:80 192.168.11.203:26302
SYN_RECV
...
I would really appreciate it if you can give me an idea of what's
going on. Thank you.
Andy
Cheng3
C: (Client) S: (Server)
1: C -> S: SYN
2: S -> C: ACK
3: C -> S: FIN
If all three tokens passed through, then the connection is established, and
then the client and server applications should start to talk to each other
in application protocol. When only 1 or 2 is finished which would have the
status (SYN_RECV), then connection is not established, and such situation is
called Half-open connection, these are particularly insidious attempt to
bring down a server system. DoS attacks are achieved in this manner, have
client send a SYN packet, but never FIN, which would left the server hanging
waiting for FIN. This symptoms is obviously exhibited in your case. BSD
have implemented a defense against this kind of attack since version 4.2.
You could use BSD if you want to avoid this headache.
Another thing you could do on your client software to prevent cycling all of
its ephemeral ports is to bind to a particular ports, and use socket option
SO_REUSEADDR, and SO_LINGER.
Regards
Liang Cheng
Andy Chan <andy...@abeona.com> wrote in message
news:ec7926fd.01082...@posting.google.com...