Re: multinet - syn flood



mckinneyj@xxxxxxxx a écrit :
rejoc wrote:
Multinet V4.4 A-X, VMS AXP 7.3-2

Suppose there are clients, trying to connect to the VMS/multinet system
by initiating a socket connection with a SYN but not going further.
On the VMS side, we can see these sockets in a SYN_RCVD state.

As far as I understand, as soon as there are as many such sockets as
"backlog", no more connections can be setup on that particular IP port.
Correct ?
The process listening on the port is not declared through the multinet
conf/serv mechanisms but the process starts at boot time and declares
itself to multinet and listens to a particular port. How can I increase
the backlog parameter in this case ? (I have no access the the sources)

What is the value of the timeout for sockets in the SYN_RCVD state. Can
it be changed (lowered) ?

By default, connections in a SYN_RCVD state will timeout after 75
seconds. This value is defined by the kernel parameter TCP_CONNINIT.

$ mu set/kernel TCP_CONNINIT
Parameter tcp_conninit (0x86DE4B50), Value = 150

The parameter is global and affects both incoming and outgoing
connections (so be careful if you choose to lower it as you may find
that you have problems establishing some wanted connections). The value
is in half-second units. You may change it as follows.

$ mu set/kernel TCP_CONNINIT 120
Parameter tcp_conninit (0x86DE4B50), Old Value = 150, New Value = 120

BACKLOG is not a global parameter. It is established for each
individual service. You don't say exactly how the listener is
configured - if it is a service defined via MultiNet's SERVER-CONFIG
utility you can increase the backlog simply by

$ mu conf/serv
SERVER-CONFIG> select YOUR-SERVER
SERVER-CONFIG> set backlog NNN
SERVER-CONFIG> exit

and restart either the MULTINET_SERVER or your server if it is
pernamently resident.

You might also want to consider the value of the MultiNet kernel
variable SOMAXCONN. It controls the number of concurrent permissible
connections in an embryonic state on a per port basis.

If you're not using the MULTINET_SERVER to field your connection
requests then you would have to control backlog and max connections in
your server application's code.
As I have no access to the code and the server is not defined via multinet server-config, I'll change the value of somaxconn.

Regarding embryonic state of the connctions, is the "embryonic TCP connections dropped" counter incremented only when a SYN_RCVD connection times-out ?


Thanks for your help.
.