From: Peter Zaitsev <peter@mysql.com>
To: Willy Tarreau <willy@w.ods.org>
Cc: "David S. Miller" <davem@davemloft.net>,
Wolfpaw - Dale Corse <admin@wolfpaw.net>,
linux-kernel@vger.kernel.org
Subject: Re: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service
Date: Sun, 12 Sep 2004 00:11:30 -0700 [thread overview]
Message-ID: <1094973089.29211.507.camel@sphere.site> (raw)
In-Reply-To: <20040912065608.GC1444@alpha.home.local>
On Sat, 2004-09-11 at 23:56, Willy Tarreau wrote:
> Hi Peter,
>
> On Sat, Sep 11, 2004 at 11:27:05PM -0700, Peter Zaitsev wrote:
>
> > I do not care about TIME_WAIT connection on client site itself, what
> > concerns me is, until connection is not fully closed server side does
> > not seems to be informed connection is dead and so server resources are
> > not deallocated.
> >
> > Any ideas ?
>
> TIME_WAIT status does not eat much resource, since they're in a separate
> list. I've already had several *millions* of while stressing some equipment,
> and I can assure you that it's really not a problem as long as you increase
> your tcp_max_tw_buckets accordingly. There is even no performance impact
> (I could still get 40000 hits/s with this number of time-waits). As David
> said, the connection has been closed when it enters TIME_WAIT, so it has
> been detached from apache.
Once again,
I do not care about resources on Client side (Apache/PHP). My concern is
Server side (MySQL). MySQL will close connection after timeout, which
is normally large (hours) to support interactive clients, or when it is
informed socket is closed. This last part is getting very delayed,
300+ seconds for some reason.
>
> I think you confuse it with CLOSE_WAIT. This is a very common case on web
> servers when the client does not support HTTP keep-alive and does a
> shutdown(WRITE) after sending its request. The server receives the FIN, and
> passes from ESTABLISHED to CLOSE_WAIT during all the time it sends its data
> to the client, then closes the connection, making it TIME_WAIT.
I'm not speaking about HTTP server in this case at all but about
Apache/PHP to MySQL part only.
It is quite typical for each page load to establish connection so we can
end up with pretty large number of connections.
To be honest I can't truly explain exactly when this happens - in many
cases I can see connections closed on the server as soon as client
closes them, in other cases they are dangling for quite a time.
--
Peter Zaitsev, Senior Support Engineer
MySQL AB, www.mysql.com
next prev parent reply other threads:[~2004-09-12 7:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <022601c49866$9e8aa8f0$0300a8c0@s>
2004-09-12 2:45 ` Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service Wolfpaw - Dale Corse
2004-09-12 3:47 ` David S. Miller
2004-09-12 6:27 ` Peter Zaitsev
2004-09-12 6:56 ` Willy Tarreau
2004-09-12 7:11 ` Peter Zaitsev [this message]
2004-09-13 17:46 ` Ron DuFresne
[not found] <026001c4989c$e2bddbb0$0300a8c0@s>
2004-09-12 9:24 ` Wolfpaw - Dale Corse
2004-09-12 10:36 ` Willy Tarreau
[not found] <025e01c4989c$ba5f62b0$0300a8c0@s>
2004-09-12 9:10 ` Wolfpaw - Dale Corse
2004-09-11 21:41 Wolfpaw - Dale Corse
2004-09-12 1:12 ` David S. Miller
2004-09-14 9:00 ` Ivan Groenewald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1094973089.29211.507.camel@sphere.site \
--to=peter@mysql.com \
--cc=admin@wolfpaw.net \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=willy@w.ods.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox