From: Willy Tarreau <willy@w.ods.org>
To: Peter Zaitsev <peter@mysql.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Wolfpaw - Dale Corse <admin@wolfpaw.net>,
linux-kernel@vger.kernel.org
Subject: Re: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service
Date: Sun, 12 Sep 2004 08:56:08 +0200 [thread overview]
Message-ID: <20040912065608.GC1444@alpha.home.local> (raw)
In-Reply-To: <1094970424.29211.489.camel@sphere.site>
Hi Peter,
On Sat, Sep 11, 2004 at 11:27:05PM -0700, Peter Zaitsev wrote:
> I do not care about TIME_WAIT connection on client site itself, what
> concerns me is, until connection is not fully closed server side does
> not seems to be informed connection is dead and so server resources are
> not deallocated.
>
> Any ideas ?
TIME_WAIT status does not eat much resource, since they're in a separate
list. I've already had several *millions* of while stressing some equipment,
and I can assure you that it's really not a problem as long as you increase
your tcp_max_tw_buckets accordingly. There is even no performance impact
(I could still get 40000 hits/s with this number of time-waits). As David
said, the connection has been closed when it enters TIME_WAIT, so it has
been detached from apache.
I think you confuse it with CLOSE_WAIT. This is a very common case on web
servers when the client does not support HTTP keep-alive and does a
shutdown(WRITE) after sending its request. The server receives the FIN, and
passes from ESTABLISHED to CLOSE_WAIT during all the time it sends its data
to the client, then closes the connection, making it TIME_WAIT.
TIME_WAIT state is more annoying on the client side (eg when your apache
is a reverse proxy), because by default you can run out of source ports.
But you can increase the local source port range (ip_local_port_range),
decrease the FIN timeout which also happens to control TIME_WAIT timeout,
and even force tcp_tw_reuse to 1 to let the system reallocate an old
connection which was sitting in TIME_WAIT.
Hoping this helps,
Willy
next prev parent reply other threads:[~2004-09-12 6:57 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <022601c49866$9e8aa8f0$0300a8c0@s>
2004-09-12 2:45 ` Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service Wolfpaw - Dale Corse
2004-09-12 3:47 ` David S. Miller
2004-09-12 6:27 ` Peter Zaitsev
2004-09-12 6:56 ` Willy Tarreau [this message]
2004-09-12 7:11 ` Peter Zaitsev
2004-09-13 17:46 ` Ron DuFresne
[not found] <026001c4989c$e2bddbb0$0300a8c0@s>
2004-09-12 9:24 ` Wolfpaw - Dale Corse
2004-09-12 10:36 ` Willy Tarreau
[not found] <025e01c4989c$ba5f62b0$0300a8c0@s>
2004-09-12 9:10 ` Wolfpaw - Dale Corse
2004-09-11 21:41 Wolfpaw - Dale Corse
2004-09-12 1:12 ` David S. Miller
2004-09-14 9:00 ` Ivan Groenewald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040912065608.GC1444@alpha.home.local \
--to=willy@w.ods.org \
--cc=admin@wolfpaw.net \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=peter@mysql.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox