0

i'm using several PHP scripts (mostly via CLI, some via nginx / php-fpm) on a (Raspbian) Debian Linux system (4.19.75).

My scripts are using simple TCP sockets as well as WebSockets to communicate with each other. For some reason the Linux kernel thinks that i'm trying to flood/DoS my own machine.

Jan 17 02:07:26 luna kernel: [10617.487372] TCP: request_sock_TCP: Possible SYN flooding on port 1337. Sending cookies.  Check SNMP counters.
Jan 17 14:31:22 luna kernel: [55253.978408] TCP: request_sock_TCP: Possible SYN flooding on port 1337. Sending cookies.  Check SNMP counters.
Jan 17 14:31:23 luna kernel: [55254.164176] TCP: request_sock_TCP: Possible SYN flooding on port 2346. Sending cookies.  Check SNMP counters.
Jan 17 17:24:09 luna kernel: [65620.070514] TCP: request_sock_TCP: Possible SYN flooding on port 1337. Dropping request.  Check SNMP counters.

This happens regardless of the sysctl-Config, deactivating SYN-Cookies results in instantly dropping all requests.

Changing net.ipv4.tcp_max_syn_backlog = 65535 doesn't work as well.

I had the same problem 2 years ago, but can't remember how i worked around it.

Is there a way to whitelist atleast all connections made from localhost? Or to deactivate the whole system? (I know this makes it vulnerable to SYN-Flood-Attacks, but at this point i would rather like to have an insecure but working system...)

Daniel Jäger
  • 177
  • 1
  • 3
  • 13

1 Answers1

0

The issue (probably) was the new default value for PHPs TCP/listen backlog. Somehow it seems to have a new default value of zero.

$this->socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_set_option($this->socket, SOL_SOCKET, SO_REUSEADDR, 1);

socket_bind($this->socket, TCP_HOST, TCP_PORT);
socket_listen($this->socket, 128);    // SETTING BACKLOG = 128
socket_set_nonblock($this->socket);
Daniel Jäger
  • 177
  • 1
  • 3
  • 13