networking
network_error
ai_generated
true
TCP:端口8080上可能发生SYN泛洪。正在发送Cookie。
TCP: request_sock_TCP: Possible SYN flooding on port 8080. Sending cookies.
ID: networking/tcp-syn-flood-detected
85%修复率
85%置信度
1证据数
2024-03-15首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Linux kernel 5.15 | active | — | — | — |
| Linux kernel 6.1 | active | — | — | — |
| Linux kernel 6.6 | active | — | — | — |
根因分析
由于入站SYN数据包速率过高,内核的SYN积压队列已满,触发了SYN Cookie作为防范SYN泛洪攻击的机制。
English
The kernel's SYN backlog queue is full due to a high rate of incoming SYN packets, triggering SYN cookies as a defense mechanism against SYN flood attacks.
官方文档
https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html解决方案
-
Increase the SYN backlog and enable SYN cookies: echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog && echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
-
Rate-limit incoming SYN packets using iptables: iptables -A INPUT -p tcp --syn -m limit --limit 100/s --limit-burst 200 -j ACCEPT
无效尝试
常见但无效的做法:
-
90% 失败
Disabling SYN cookies via sysctl -w net.ipv4.tcp_syncookies=0 removes flood protection, making the system vulnerable to legitimate SYN flood attacks.
-
70% 失败
Increasing tcp_max_syn_backlog alone without also adjusting tcp_synack_retries may not help because the backlog fills up quickly under sustained attack.