SYN Attack, SYN-RECEIVED Exceeded Maximum.
(Last modified: 24Mar2003)
This document (10007807) is provided subject to the disclaimer at the end of this document.
fact
Novell GroupWise 5.2
symptom
SYN Attack, SYN-RECEIVED Exceeded Maximum.
Error: "TCPIP-4.0-235: Number of connections in SYN-RECEIVED state on port 25 (any port such as 1677 or 7100) has exceeded the maximum (5) allowed by the application."
cause
All socket applications (ie, applications using the CLIB interface) use a listen() function to receive incoming connections. There is a backlog parameter associated with this listen() call that specifies how many incoming connections can be in a queue before being processed by calls to accept() the connection. The default backlog value is set to 5 which implies that the TCP/IP stack will start dropping TCP SYN requests when 5 connection requests are sitting in backlog. Once the TCP/IP stack (v4.00e and greater) has to do this, it will return the above
message. This message will NOT cause any problems because the TCP client will simply try and resend the request after a certain interval (default 1 second).
fix
Looking at the TCPCON -> TCP statistics, users will see that the "attempts failed" connections parameter will increase every time a new SYN request arrives and the backlog queue is at 5, whether we are using the newer or older stacks.
In many situations, a backlog value of 5 will be more than enough. However, many TCP applications that receive large number of TCP SYN requests may encounter the above message due to excess load. If the backlog queue is full and the above message is returned, the chances are that the server is too slow to process the large numbers of incoming SYN requests. In this case, verify the following:
1. The server utilization is not too high?
2. The state of the TCP connections through TCPCON -> PROTOCOLS -> TCP connections are all in valid states. (This means that the state on the ports says "listen"?
3. Are there any tunable parameters on the TCP server application (eg. GroupWise, NetWare/IP) allowing you to increase the maximum number of TCP connections that may be established at once? Increase the number of connections so that more threads are
available to handle incoming requests.
4. Check for ICMP errors that would point to network problems.
5. Check for IP local errors that would point to memory
problems (ie, the connections could be taking memory without returning it correctly to the OS).
6. Check for IP fragmentation/reassembly issue that will really overload the stack.
7. Check TCP stats for retransmissions, errors, etc.
These will help point out potential problems with the TCP/IP stack.
The SYN Attack defense built into the stack cannot differentiate a heavily loaded server (where the SYNs come at a rapid pace that will fill out the backlog queue of the socket) from a box that is being really SYN Attacked. Most customers are not being SYN attacked, but it is highly possible that the backlogs are getting jammed due to high demand.
The limit of half-open connections has been increased from 5 to 32 in GroupWise 5.2 Support Pack 2 (GW52SP2.EXE). This means that after applying the GroupWise 5.2 Support Pack 2, the SYN attack routine will not be triggered until there are 32 half-open connections rather than 5 with the previous GroupWise limit.
When there is a lot of traffic or the link is very slow this problem can occur. Usually, the speed of the data or the lack of resources is the cause for the connection to fail.
SUGGESTIONS:
- Exit the GroupWise NLMs, unload the LAN (NIC) driver, reload the LAN driver, and enter REINITIALIZE SYSTEM at the console prompt. Reloading the GroupWise NLMs may reestablish the connections if getting SYN Attack errors on the POA. Also, make sure up on latest NLMs. This will only temporary alleviate the problem.
- If the port is 25 (probably the SMTP gateway), increase the daemon threads in the gateway's configuration (GWSMTP.CFG). Increasing either the gateway's receive (/RD) or send (/SD)
threads can alleviate this problem, since the receive threads can steal send threads.
- If the port is 7100 (probably the MTA), increase the /tcpwaitdata and the /tcpwaitconnect values.
The values are dependent on the variables (bandwidth, LAN traffic, etc) at each site. Increase them until the errors go away.
Another option is to disable the SYN attack feature. If this is done, the system will be vulnerable to SYN attacks but the option is viable. To disable the SYN attack feature, do the following:
1. LOAD SERVMAN.
2. Select Server parameters | Communications.
3. Set TCP Defend SYN Attacks to Off.
The set command is "SET TCP DEFEND SYN ATTACKS = OFF"
THIS COMMAND IS ONLY SUPPORTED WITH THE LATEST TCPIP STACK
(TCPN05.EXE or higher)
NBTS: 167487
document
| Document Title: | SYN Attack, SYN-RECEIVED Exceeded Maximum. |
| Document ID: | 10007807 |
| Solution ID: | 1.0.343624.1826696 |
| Creation Date: | 12Oct1998 |
| Modified Date: | 24Mar2003 |
| Novell Product Class: | Connectivity Products Groupware NetWare |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.