ESTABLISHED Connection Spike (OT?)

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: ESTABLISHED Connection Spike (OT?)
From: Jacob Coby <jcoby@xxxxxxxxxxxxxxx>
Date: Fri, 29 Jul 2005 17:24:54 -0400
Hi all,

I've got an IP addr that, on occassion, takes up a mass of connections and leaves them in an ESTABLISHED state. The IP addr is of a business that uses our website, but it's causing a DOS of sorts. I don't know if this is a bug in LVS or not. Any pointers are appreciated.

ipvsadm v1.21 2002/07/09 (compiled with popt and IPVS v1.0.4)
redhat 7.3

1. Connections jump from 50-100 up to 300-600.
2. A single IP address takes up 80-90% of those connections.
3. All of the connections from that ip address are in the ESTABLISHED state.
4. Very few of them are actually sending/receiving data (when using tcpdump -xX -s 1024 "host bad.ip.addr"). I see a few packets with the F and S flags set.

Because these are all ESTABLISHED connections to our website, they're taking up an apache process, and eventually locking everyone else out.

Any ideas?  snort logs don't show anything malicious from the ip.


<Prev in Thread] Current Thread [Next in Thread>