[CentOS] database node / possible SYN flooding on port 3306

Sat Jul 21 10:48:52 UTC 2018
Leon Fauster <leonfauster at googlemail.com>

> Am 20.07.2018 um 18:52 schrieb Nataraj <incoming-centos at rjl.com>:
> 
> On 07/20/2018 03:56 AM, Leon Fauster via CentOS wrote:
>> Hi folks,
>> 
>> I have here a database node running
>> 
>> # rpm -qa | grep mysql-server
>> mysql55-mysql-server-5.5.52-1.el6.x86_64
>> 
>> on
>> 
>> # virt-what 
>> vmware
>> 
>> 
>> that seems to have a connection problem:
>> 
>> # dmesg |grep SYN |tail -5
>> possible SYN flooding on port 3306. Sending cookies.
>> possible SYN flooding on port 3306. Sending cookies.
>> possible SYN flooding on port 3306. Sending cookies.
>> possible SYN flooding on port 3306. Sending cookies.
>> possible SYN flooding on port 3306. Sending cookies.
>> 
>> 
>> I adapted already following:
>> 
>> # sysctl -a |grep -E 'maxconn|syn_backlog'
>> net.core.somaxconn = 2048
>> net.ipv4.tcp_max_syn_backlog = 2048
>> 
>> 
>> but ListenOverflows and ListenDrops values are still high
>> 
>> # cat /proc/net/netstat | awk '{print $21 "-" $22 }'
>> ListenOverflows-ListenDrops
>> 13568-13568
>> 
>> any suggestion? 
> 
> Use tools like tcpdump/wireshark  and further examination of logfiles to
> determine where your attack is coming from, i.e. single IP address or
> multiple ip addresses (BOT attack).
> 
> If attack is impairing your Internet service, contact your ISP.  Most
> decent ISP's should deal with this situation for you.
> 
> If attack is not impairing your service and you choose to deal with it
> yourself, then, if from a fixed IP address block that IP from your
> firewall if you have one, otherwise, use IPtables on the server.  If
> your having bot attacks, or blocking attack causes source IP address to
> be changed, then look at fail2ban.  Basically you want to configure
> fail2ban to limit the number of requests per unit of time and block IPs
> that exceed that.  Also, consider weather your database needs to be
> publicly accessible from the Internet.


Actually the database node is a backend system in a private network, so "all" 
traffic is legitimate. The main traffic comes from the web node (cms/php). Resources 
of the db node seems all to be okay (cpu/mem/load). So i do not see any bottleneck ... 

--
LF