From: Willy Tarreau <willy@w.ods.org>
To: Peter Zaitsev <peter@mysql.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Wolfpaw - Dale Corse <admin@wolfpaw.net>,
linux-kernel@vger.kernel.org
Subject: Re: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service
Date: Sun, 12 Sep 2004 08:56:08 +0200 [thread overview]
Message-ID: <20040912065608.GC1444@alpha.home.local> (raw)
In-Reply-To: <1094970424.29211.489.camel@sphere.site>
Hi Peter,
On Sat, Sep 11, 2004 at 11:27:05PM -0700, Peter Zaitsev wrote:
> I do not care about TIME_WAIT connection on client site itself, what
> concerns me is, until connection is not fully closed server side does
> not seems to be informed connection is dead and so server resources are
> not deallocated.
>
> Any ideas ?
TIME_WAIT status does not eat much resource, since they're in a separate
list. I've already had several *millions* of while stressing some equipment,
and I can assure you that it's really not a problem as long as you increase
your tcp_max_tw_buckets accordingly. There is even no performance impact
(I could still get 40000 hits/s with this number of time-waits). As David
said, the connection has been closed when it enters TIME_WAIT, so it has
been detached from apache.
I think you confuse it with CLOSE_WAIT. This is a very common case on web
servers when the client does not support HTTP keep-alive and does a
shutdown(WRITE) after sending its request. The server receives the FIN, and
passes from ESTABLISHED to CLOSE_WAIT during all the time it sends its data
to the client, then closes the connection, making it TIME_WAIT.
TIME_WAIT state is more annoying on the client side (eg when your apache
is a reverse proxy), because by default you can run out of source ports.
But you can increase the local source port range (ip_local_port_range),
decrease the FIN timeout which also happens to control TIME_WAIT timeout,
and even force tcp_tw_reuse to 1 to let the system reallocate an old
connection which was sitting in TIME_WAIT.
Hoping this helps,
Willy
next prev parent reply other threads:[~2004-09-12 6:57 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <022601c49866$9e8aa8f0$0300a8c0@s>
2004-09-12 2:45 ` Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service Wolfpaw - Dale Corse
2004-09-12 3:47 ` David S. Miller
2004-09-12 6:27 ` Peter Zaitsev
2004-09-12 6:56 ` Willy Tarreau [this message]
2004-09-12 7:11 ` Peter Zaitsev
2004-09-13 17:46 ` Ron DuFresne
[not found] <026001c4989c$e2bddbb0$0300a8c0@s>
2004-09-12 9:24 ` Wolfpaw - Dale Corse
2004-09-12 10:36 ` Willy Tarreau
[not found] <025e01c4989c$ba5f62b0$0300a8c0@s>
2004-09-12 9:10 ` Wolfpaw - Dale Corse
2004-09-11 21:41 Wolfpaw - Dale Corse
2004-09-12 1:12 ` David S. Miller
2004-09-14 9:00 ` Ivan Groenewald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040912065608.GC1444@alpha.home.local \
--to=willy@w.ods.org \
--cc=admin@wolfpaw.net \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=peter@mysql.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.