Hello!

On Mon, Aug 08, 2011 at 09:41:06AM -0400, Marki555 wrote:

> Do you think it can be a synflood attack? I can see it only during peak
> hours, if it would be attack, I would expect it to be nonstop. If it
> would be synflood, how would nginx handle it? SYN_RECV means that kernel
> has received the initial SYN packet, but the userspace (nginx) didn't
> reply with SYN+ACK yet. But from strace it seems that nginx is not
> receiving those connections...

You understanding of how tcp stack works isn't really correct.
Userland (and nginx) will see connection once it's ESTABLISHED.
Connections in SYN_RECV state are sitting in kernel (traditionally
in listen socket's incomplete queue, on modern OSes likely in
syncache or something like it) and userland won't be able to
accept() them.

> Every request is from different IP (as it's ad-tracking I have more than
> 3 milions diff. IPs per day). Here is output:

I suggest most likely cause is network problems: packets are lost
somewhere in transit, and that's why you see many incomplete
connections.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx