[Interest] TCP SYN flood attack.

Christian Gagneraud chgans at gna.org
Wed Jun 10 02:30:29 CEST 2015

On 10/06/15 11:23, Bill Crocker wrote:
> Dear Qt enthusiasts:
> I am having a problem with my large,
> distributed QT based client/server app.
> It periodically appears as if the
> server machine is under a SYN flood attack.
>> netstat -ts | grep -i syn
>       7563748 invalid SYN cookies received
>       75 resets received for embryonic SYN_RECV sockets
>       151 SYNs to LISTEN sockets ignored
> The "invalid SYN cookies received" number increases
> with each repeated issue of the netstat command.
> During this time it is difficult, if not possible,
> to connect to the server.
> The source of the SYN flood has been traced back, using
> wireshark, to a number of the machines running the client side
> of my Qt based app. (of course the machine is running
> other programs, but let's assume my app is guilty for now.)
> I use QTcpSocket to connect to the server.
> Is there any way I could be using sockets improperly
> such that my app is the source of the SYN flood attack
> perceived by the server.

What about the kernel messages on both clients and server, maybe you 
could find clues on why it is happening. It could be some firewall issue 
for example. Can you see a pattern from the broken client machines (same 
OS, same HW, ...)?

Maybe, due to a bug, your client SW creates TCP sockets at a high rate, 
initiate a connection and then deletes it straight away.

Have you try enabling/disabling SYN cookie protection on your server?
eg: sysctl -w net.ipv4.tcp_syncookies=1


> Thanks.
> Bill
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/interest

More information about the Interest mailing list