networking
network_error
ai_generated
true
TCP: request_sock_TCP: Possible SYN flooding on port 8080. Sending cookies.
ID: networking/tcp-syn-flood-detected
85%Fix Rate
85%Confidence
1Evidence
2024-03-15First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Linux kernel 5.15 | active | — | — | — |
| Linux kernel 6.1 | active | — | — | — |
| Linux kernel 6.6 | active | — | — | — |
Root Cause
The kernel's SYN backlog queue is full due to a high rate of incoming SYN packets, triggering SYN cookies as a defense mechanism against SYN flood attacks.
generic中文
由于入站SYN数据包速率过高,内核的SYN积压队列已满,触发了SYN Cookie作为防范SYN泛洪攻击的机制。
Official Documentation
https://www.kernel.org/doc/html/latest/networking/ip-sysctl.htmlWorkarounds
-
85% success Increase the SYN backlog and enable SYN cookies: echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog && echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
Increase the SYN backlog and enable SYN cookies: echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog && echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
-
80% success Rate-limit incoming SYN packets using iptables: iptables -A INPUT -p tcp --syn -m limit --limit 100/s --limit-burst 200 -j ACCEPT
Rate-limit incoming SYN packets using iptables: iptables -A INPUT -p tcp --syn -m limit --limit 100/s --limit-burst 200 -j ACCEPT
中文步骤
Increase the SYN backlog and enable SYN cookies: echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog && echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
Rate-limit incoming SYN packets using iptables: iptables -A INPUT -p tcp --syn -m limit --limit 100/s --limit-burst 200 -j ACCEPT
Dead Ends
Common approaches that don't work:
-
90% fail
Disabling SYN cookies via sysctl -w net.ipv4.tcp_syncookies=0 removes flood protection, making the system vulnerable to legitimate SYN flood attacks.
-
70% fail
Increasing tcp_max_syn_backlog alone without also adjusting tcp_synack_retries may not help because the backlog fills up quickly under sustained attack.