|
Hi all,
I've got an IP addr that, on occassion, takes up a mass of connections
and leaves them in an ESTABLISHED state. The IP addr is of a business
that uses our website, but it's causing a DOS of sorts. I don't know if
this is a bug in LVS or not. Any pointers are appreciated.
Software:
ipvsadm v1.21 2002/07/09 (compiled with popt and IPVS v1.0.4)
kernel-2.4.20-28.7.um.3
redhat 7.3
Symptoms:
1. Connections jump from 50-100 up to 300-600.
2. A single IP address takes up 80-90% of those connections.
3. All of the connections from that ip address are in the ESTABLISHED state.
4. Very few of them are actually sending/receiving data (when using
tcpdump -xX -s 1024 "host bad.ip.addr"). I see a few packets with the
F and S flags set.
Because these are all ESTABLISHED connections to our website, they're
taking up an apache process, and eventually locking everyone else out.
Any ideas? snort logs don't show anything malicious from the ip.
Thanks,
--
-Jacob
|
