The Problem
Sometimes Linux kernel logs warning messages as followings:
Mar 7 09:17:14 hostname kernel: TCP: Possible SYN flooding on port 26450. Sending cookies.
or
Mar 7 09:17:14 hostname kernel: TCP: Possible SYN flooding on port 26450. Dropping request.
The Solution
This is a warning message, which indicates that the server is frequently attempted to connect to the specific port, and the kernel warns that this might possibly be an SYN flood attack(=DoS(Denial of Service) attack).
When this message is logged, the kernel returns a syn cookie to the client or just drops the packet for self-guard, which is controlled by /proc/sys/net/ipv4/tcp_syncookies.
Please check the port and network traffic whether it is certainly DoS attack. If no attack is confirmed, this message can be ignored. The frequency of logging the message can be controled by 2 kernel parameters below:
/proc/sys/net/core/message_cost(def=5) /proc/sys/net/core/message_burst(def=10)
“message_cost” is “the interval(jiffies) how long the kernel decides it might be SYN flood attack”.
“message_burst” is “how frequently the message logs during message_cost”. Reducing the number can reduce the frequency of logging the message.
These can be set by sysctl even on the running production system. For example, adding lines in /etc/sysctl.conf as:
# vi /etc/sysctl.conf net.core.message_cost = 10 net.core.message_burst = 20
and run the following command after that:
# sysctl -p
This does not affect any system availability.