• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Kernel Logs Warning Messages “kernel: Possible SYN flooding on port X. Sending cookies” is logged”

by admin

The Problem

Sometimes Linux kernel logs warning messages as followings:

Mar  7 09:17:14 hostname kernel: TCP: Possible SYN flooding on port 26450. Sending cookies.

or

Mar  7 09:17:14 hostname kernel: TCP: Possible SYN flooding on port 26450. Dropping request.

The Solution

This is a warning message, which indicates that the server is frequently attempted to connect to the specific port, and the kernel warns that this might possibly be an SYN flood attack(=DoS(Denial of Service) attack).

When this message is logged, the kernel returns a syn cookie to the client or just drops the packet for self-guard, which is controlled by /proc/sys/net/ipv4/tcp_syncookies.

Please check the port and network traffic whether it is certainly DoS attack. If no attack is confirmed, this message can be ignored. The frequency of logging the message can be controled by 2 kernel parameters below:

/proc/sys/net/core/message_cost(def=5)
/proc/sys/net/core/message_burst(def=10)

“message_cost” is “the interval(jiffies) how long the kernel decides it might be SYN flood attack”.

“message_burst” is “how frequently the message logs during message_cost”. Reducing the number can reduce the frequency of logging the message.

These can be set by sysctl even on the running production system. For example, adding lines in /etc/sysctl.conf as:

# vi /etc/sysctl.conf
net.core.message_cost = 10
net.core.message_burst = 20

and run the following command after that:

# sysctl -p

This does not affect any system availability.

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. if Command Examples in Linux
  2. readpe Command Examples in Linux
  3. Interview Questions : Linux Package Manager (RPM)
  4. ‘nestat -s’ showing a large number for “packet reassembles failed” errors in CentOS/RHEL
  5. SSH Connection Refused by TCP Wrapper
  6. Features of the “Btrfs” Filesystem
  7. Replacing a Failed Mirror Disk in a Software RAID Array (mdadm)
  8. How to Reserve a Port Range for a Third Party Application in CentOS/RHEL
  9. treetime: command not found
  10. apt Command Examples in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • cf: Command-line tool to manage apps and services on Cloud Foundry
  • certutil: Manage keys and certificates in both NSS databases and other NSS tokens
  • cdk: A CLI for AWS Cloud Development Kit (CDK)
  • cd: Change the current working directory

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright