Help! kernel: TCP: drop open request from xxx.xxx.xxx.xxx

Discussion in 'Linux Networking' started by Guest, Jun 10, 2004.

  1. Guest

    Guest Guest

    I am running Red Hat 8.0 with the apache web server and all of the sudden
    I am getting the following errors, tons of them every second and the
    web server has slowed to a crawl and not responding to requests. I
    restarted the system and no help. Does anyone know what may be going
    on and how to fix the problem? The server is a Dual 1GHZ Intel system and
    gets a good deal of traffic, the kernel is 2.4.18-14smp

    from /var/log/messages
    ....
    Jun 9 19:20:33 wxserver5 kernel: NET: 992 messages suppressed.
    Jun 9 19:20:33 wxserver5 kernel: NET: 992 messages suppressed.
    Jun 9 19:20:33 wxserver5 kernel: TCP: drop open request from
    148.134.65.180/2715
    Jun 9 19:20:38 wxserver5 kernel: NET: 994 messages suppressed.
    Jun 9 19:20:38 wxserver5 kernel: NET: 994 messages suppressed.
    Jun 9 19:20:38 wxserver5 kernel: TCP: drop open request from
    10.232.131.94/4727
    Jun 9 19:20:43 wxserver5 kernel: NET: 881 messages suppressed.
    Jun 9 19:20:43 wxserver5 kernel: NET: 881 messages suppressed.
    Jun 9 19:20:43 wxserver5 kernel: TCP: drop open request from
    148.134.212.54/1870
    Jun 9 19:20:48 wxserver5 kernel: NET: 975 messages suppressed.
    Jun 9 19:20:48 wxserver5 kernel: NET: 975 messages suppressed.
    Jun 9 19:20:48 wxserver5 kernel: TCP: drop open request from
    10.250.19.205/1584
    .....

    All of the sudden the errors stopped, but the traffic remains fairly high.

    Mike
     
    Guest, Jun 10, 2004
    #1
    1. Advertisements

  2. Guest

    Andrew Keith Guest

    run ifconfig, whats your txqueuelen (thats the total number of packets your
    network card can hold before dropping packets) ?
    maybe there are just too many packets comming in .

    Andrew

    ps, someone may be trying to DDoS you ... how high is your traffic ?
     
    Andrew Keith, Jun 10, 2004
    #2
    1. Advertisements

  3. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    NotDashEscaped: You need GnuPG to verify this message

    In comp.os.linux.networking suggested:
    This is a pretty old distro kernel, probably full of
    bugs/security problems, double check rh errata about it. I'd
    first upgrade to the latest available and see if problem
    persist, then use 'tcpdump' to get more info what's going on.

    BTW
    RH 8.0 is already outdated and you need to make a plan for
    upgrading the system.

    Good luck

    --
    Michael Heiming (GPG-Key ID: 0xEDD27B94)
    mail: echo | perl -pe 'y/a-z/n-za-m/'
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQFAyBUiAkPEju3Se5QRAovMAJ48iFrKRJiDyYehHLbDptY+FobAZACgwAl5
    /Wyoyq8HScqdjRhm2VTG6xM=
    =rI5R
    -----END PGP SIGNATURE-----
     
    Michael Heiming, Jun 10, 2004
    #3
  4. Guest

    Guest Guest

    [This followup was posted to comp.os.linux.networking and a copy was sent to the cited
    author.]

    Here is my iconfig dump for eth0
    eth0 Link encap:Ethernet HWaddr 00:02:B3:11:BC:E9
    inet addr:162.113.108.69 Bcast:162.113.108.95 Mask:255.255.255.224
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:47938749 errors:0 dropped:0 overruns:0 frame:0
    TX packets:45417541 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:1039590368 (991.4 Mb) TX bytes:1865549550 (1779.1 Mb)
    Interrupt:18 Base address:0x5000

    The server has been up for about a day, so thats the total traffic.

    As hopefully a stop gap method. I turned on iptables and added the following
    entries in hopes that it is some sort of attack this will drop the packets.
    This server is inside a large corporate firewall, so a purposely directed attack
    is unlikely. Also I noticed that kernal messages indicated it was dropping packets
    from everybody's IP. This may still mean a DoS attack, I don't know. If this iptables
    config is screwy let me know, this is what I threw together after reading some
    newsgroup messages. For what it's worth I have not seen any kernal drop messages
    today, but that doesn't mean much because they stopped before I implemented the iptables.

    Thanks, Mike

    filter
    :FORWARD ACCEPT [0:0]
    :INPUT DROP [0:0]

    # Allow Pings
    -A INPUT -p icmp -j ACCEPT

    # Accept these IP ranges.
    -A INPUT -s 127.0.0.1 -j ACCEPT

    # SYN flood prevention
    -A INPUT -p TCP --syn -m limit --limit 5/second -j ACCEPT

    # Allow Web Access
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

    # Telnet
    -A INPUT -p tcp -m tcp --dport 23 -j ACCEPT
    -A INPUT -p udp -m udp --dport 23 -j ACCEPT

    # FTP
    -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    -A INPUT -p udp -m udp --dport 21 -j ACCEPT

    # SSH
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p udp -m udp --dport 22 -j ACCEPT

    # LDM
    -A INPUT -p tcp -m tcp --dport 388 -j ACCEPT
    -A INPUT -p udp -m udp --dport 388 -j ACCEPT

    # NOAAPORT PAN MESSAGES
    -A INPUT -p tcp -m tcp --dport 5000 -j ACCEPT
    -A INPUT -p udp -m udp --dport 5000 -j ACCEPT

    # Additonal
    -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
    -A INPUT -m state --state ESTABLISHED -j ACCEPT
    -A INPUT -m state --state RELATED -j ACCEPT

    COMMIT
    # Completed

    *mangle
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :pREROUTING ACCEPT [0:0]
    :pOSTROUTING ACCEPT [0:0]


    COMMIT
     
    Guest, Jun 10, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.