Date: Tue, 13 Oct 2009 17:50 -0400 From: Michael Powell <nightrecon@hotmail.com> To: freebsd-questions@freebsd.org Subject: Re: How can I get >100 connections in FIN_WAIT_2 state from the same IP? Message-ID: <hb2skn$scs$1@ger.gmane.org> References: <4AD4B9EA.5070304@optiksecurite.com> <B20ABCEA-21D4-47D6-8465-1C82D3F4EAA3@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger wrote: > On Oct 13, 2009, at 10:33 AM, Martin Turgeon wrote: >> I would like to know if anyone knows the reason why I get a lot of >> connections (more than 100) from the same IP in FIN_WAIT_2 state. > > That IP is probably running a web proxy or possibly some kind of > spider. It could also be malicious, trying to exploit webserver > vulnerabilities, etc-- search your logs for that IP and see what it is > doing. > >> In this case the connections are on port 80. Is it a problem with the >> client's browser or OS? Is it possible that some mobile devices >> doesn't >> close their connections correctly to save bandwidth and battery? > > Yes, it's not uncommon for various platforms to simply drop > connections rather than closing them properly. You can run tcpdrop to > forcibly get rid of them, but they should time out within a few > minutes anyway. If you believe the remote IP is being abusive, > consider firewalling it.... > This is also common from the differences in TCP/IP stacks across various platforms. Windows, Linux, Solaris, etc are all slightly different in this regard. If you're running a web server you can set the following in /etc/sysctl.conf in an attempt to mitigate. Don't know if the timeout period can be altered. net.inet.tcp.fast_finwait2_recycle=1 This won't stop it from happening but it will trim the pool down some. -Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?hb2skn$scs$1>