Need Help My Server Got so many CLOSE_WAIT Connections

Question

I need help because my linux ubuntu server are getting too many SQL connections, and when I checked using netstat -t there are many connections like these:

tcp6 1 0 websitesaya.co.id:http 98-142-172-163.re:37854 CLOSE_WAIT 
tcp6 1 0 websitesaya.co.id:http 98-142-172-163.re:34962 CLOSE_WAIT 
tcp6 1 0 websitesaya.co.id:http 98-142-172-163.re:51678 CLOSE_WAIT 
tcp6 0 0 websitesaya.co.id:http 157-171-172-163.r:44102 CLOSE_WAIT 
tcp6 0 0 websitesaya.co.id:http vmi80876.contabo.:46980 CLOSE_WAIT 
tcp6 0 531 websitesaya.co.id:http ks.kgovps.com:35146 LAST_ACK 
tcp6 0 0 websitesaya.co.id:http 98-142-172-163.re:55052 CLOSE_WAIT 
tcp6 1 0 websitesaya.co.id:http 157-171-172-163.r:36082 CLOSE_WAIT 
tcp6 0 0 websitesaya.co.id:http 157-171-172-163.r:33698 CLOSE_WAIT 
tcp6 0 0 websitesaya.co.id:http 157-171-172-163.r:59778 CLOSE_WAIT 
tcp6 0 0 websitesaya.co.id:http 157-171-172-163.r:51166 CLOSE_WAIT 
tcp6 0 0 websitesaya.co.id:http vmi80876.contabo.:49693 CLOSE_WAIT 
tcp6 0 0 websitesaya.co.id:http 98-142-172-163.re:52406 CLOSE_WAIT 
tcp6 1 0 websitesaya.co.id:http 157-171-172-163.r:53266 CLOSE_WAIT 
tcp6 0 639 websitesaya.co.id:http 98-142-172-163.re:58032 LAST_ACK 
tcp6 1 0 websitesaya.co.id:http ks.kgovps.com:59676 CLOSE_WAIT 

and still hundreds or more like that

And no matter how many times I restarted the server or disconnect and reconnect. Those strage connections keeps appearing and appearing again.

Here's what I've tried: - I cannot block those incoming connections from linux firewall because everytime I want to block them, there are errors such as "157-171-172-163.r not found" Then how in the world I can block this IPs from trying to connect to my server? - I cannot kill those process on MySQL Workbench because there are errors "Cannot kill threads 0" or something like that

[Update] Other helpful advice from other forum point that this might be SYN Flood Attack

Answer 1

You are being down-voted because you have not taken the time to research the technologies that you are trying to troubleshoot. Effectively, if you don't take the time, why should we take time to help you?

A TCP socket in CLOSE_WAIT state means that your server has received a request to close a connection (FIN) from a client and the server has sent an Acknowledgement (ACK) in response. In the CLOSE_WAIT state, the TCP stack is waiting on the application to indicate that it is finished with the connection, at which point a FIN can be sent by the server and the socket transition to the LAST_ACK state.

Now, if you are seeing each CLOSE_WAIT socket hang around for a while, then that indicates that your webserver is not able to release connections fast enough. If the CLOSE_WAIT requests disappear quickly, then you probably just have a lot of web traffic on your server. Blanket blocking IP addresses from reaching your (publicly available) web server just because you don't understand how something works seems a bit silly.

Answer 2

From the helpful advice from another forum, I was ginally able to resolve this. I am posting this answer here for anybody else who had the same problem with me but don't know how to deal with it because everyone in here is downvoting your thread instead giving help. The trick is to block those incoming annoying IPs by using linux firewall/ CSF Firewall.

Those IP's are reversed IPs so if you want to block:

157-171-172-163.r then the IP you should block is 163.172.171.157
98-142-172-163.re then the IP you should block is 163.172.142.98

Voila, all the CLOSE_WAIT Connections are gone