> > If I make 10000 rapid connections/selects/deconnections to mysql on this
> > server, I get like 1 TW after around 3000, another TW around 6000 and another TW
> > around 9000... That makes 3 TWs only. And they last 60 seconds...
> In your testing is the source IP the same for all with just different
> source port? Or are you varying your source IP as well? I don't know
> what spoofing smarts are in the kernel to detect SYN/ACK attacks.
The source was the same on both servers (the one with thousands of TWs and the one with 3 TWs).
> Are you running Shorewall or any similar tool that will detect SYN/ACK
> attacks and might be seeing this 'test' as an attack to limit?
No shorewall and no iptables rules.
> > When I googled for it, many people were pointing to the tcp_fin_timeout value
> ... Is it really related to TWs?
> Well, yes. How long do you let a TW sit around waiting for a proper FIN
> or even a RST? Read the TCP RFC as to why there is a TW in the state
> machine. Boy has it been years since I cracked that one open...
I read about the connection handshake but I do not really see why setting the FIN_WAIT timeout would also set the TIME_WAIT timeout to the same value... And I tried to set it at 30s and TWs did still last 60s.
Thx,
JD