Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : A lot of SYN_RECV connections

[supiiik]

I'm running webserver on centos5.4 with new 2.6.33.1 kernel. My problem is a lot of apache processes with "..reading.." request (10-15% requests are in ..reading.. status). I think, that problem are TCP connections in SYN_RECV status:
netstat -na | wc -l : 19000
netstat -na | grep SYN_RECV | wc -l : 180
There is always around 0,5-1% connections in SYN_RECV and I'm sure, that it's not DoS/DDoS attack! Could it be problem of new kernel? Or network problem?
Server is very fast and apache handle almost all request very fast but sometime it takes around 10s to handle request (process in ..reading.. state), it's clearly random, not only one IP or group of IPs. Could it problem of any limit in linux?
Server: i7 920, 24GB RAM, 100mbps

Sorry for my bad english...

[UNIXy]

The SYN_RECV count seems to be reasonable considering the number of active connections on your server. Try to strace the apache process that's doing this and see where it is at.

Regards
Joe / UNIXY

[supiiik]

10 days ago I've move my web site to the new datacenter and new server and since this time it is happening. Before there was usually around 20 connections in SYN_RECV.

It's very hard to catch (strace) problematic apache process, because there are many processes and while I write strace command, process finish problematic request and continue correctly

WCC.RW_.C.R_CC_WWCCW_RCCCWC_WC_CC._WR_W_C__WWW_CR_C_W_RRCW_RRRRW
WCWC_WCW_C_WC_WW_WCCCC_WCW__CC_CCRC__CW__WC_CWCWW_WCC_W_CCRCRCCC
CWCW___CRC_W_C.W_WW__CWRC_W....W.R.R.C_RW_W......W.._..._.W..WWR
..W.RR._.RR_..WC.W._CRWCC__C._C_._C.C_W.W..RCCWC..W.RW.CC_WW.R..
...............W................................................
................................................................
................................................................
................................................................

[rickb12]

I recommend installing CSF Firewall (http://configserver.com/cp/csf.html) and enabling connection tracking. This might work as a stopgap for when you're not in front of a terminal.

[supiiik]

Quote:

Originally Posted by ReadyRick

I recommend installing CSF Firewall (http://configserver.com/cp/csf.html) and enabling connection tracking. This might work as a stopgap for when you're not in front of a terminal.

I have CSF already installed, but I have not a problem with unwanted connections, server is not under attack. I'd like to speed up connections, which are in SYN_RECV state. These connections are in this state for a long time (avg 10s) and it is slowing down some request on the web server. Or maybe the problem is doing apache (v2.2.15), I don't know