From owner-freebsd-questions@FreeBSD.ORG Tue Oct 13 21:51:34 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E03401065676 for ; Tue, 13 Oct 2009 21:51:34 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 9A2948FC1B for ; Tue, 13 Oct 2009 21:51:34 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.50) id 1MxpG8-0007w7-MC for freebsd-questions@freebsd.org; Tue, 13 Oct 2009 23:50:20 +0200 Received: from pool-70-21-8-200.res.east.verizon.net ([70.21.8.200]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 13 Oct 2009 23:50:20 +0200 Received: from nightrecon by pool-70-21-8-200.res.east.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 13 Oct 2009 23:50:20 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Michael Powell Followup-To: gmane.os.freebsd.questions Date: Tue, 13 Oct 2009 17:50 -0400 Lines: 37 Message-ID: References: <4AD4B9EA.5070304@optiksecurite.com> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: pool-70-21-8-200.res.east.verizon.net Sender: news Subject: Re: How can I get >100 connections in FIN_WAIT_2 state from the same IP? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nightrecon@hotmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2009 21:51:35 -0000 Chuck Swiger wrote: > On Oct 13, 2009, at 10:33 AM, Martin Turgeon wrote: >> I would like to know if anyone knows the reason why I get a lot of >> connections (more than 100) from the same IP in FIN_WAIT_2 state. > > That IP is probably running a web proxy or possibly some kind of > spider. It could also be malicious, trying to exploit webserver > vulnerabilities, etc-- search your logs for that IP and see what it is > doing. > >> In this case the connections are on port 80. Is it a problem with the >> client's browser or OS? Is it possible that some mobile devices >> doesn't >> close their connections correctly to save bandwidth and battery? > > Yes, it's not uncommon for various platforms to simply drop > connections rather than closing them properly. You can run tcpdrop to > forcibly get rid of them, but they should time out within a few > minutes anyway. If you believe the remote IP is being abusive, > consider firewalling it.... > This is also common from the differences in TCP/IP stacks across various platforms. Windows, Linux, Solaris, etc are all slightly different in this regard. If you're running a web server you can set the following in /etc/sysctl.conf in an attempt to mitigate. Don't know if the timeout period can be altered. net.inet.tcp.fast_finwait2_recycle=1 This won't stop it from happening but it will trim the pool down some. -Mike