1m_tcp_syn_queue_drops.md 1.7 KB
Understand the alert
This alert indicates that the average number of SYN requests dropped due to the TCP SYN queue being full has exceeded a specific threshold in the last minute. A high number of dropped SYN requests may indicate a SYN flood attack, causing the system to become unresponsive to legitimate traffic.
Troubleshoot the alert
Monitor incoming traffic: Analyze the incoming network traffic to determine if there is a sudden surge in SYN requests, which might indicate a SYN flood attack. Use tools like
tcpdump,iftop, ornloadto monitor network traffic.Check system resources: Inspect the system's CPU and memory usage to ensure there are enough resources available to handle incoming connections. High resource usage might lead to dropped SYN requests.
Enable SYN cookies: If the traffic is legitimate, consider enabling SYN cookies to help mitigate the impact of a SYN flood attack, as described in the provided guide above.
Adjust SYN queue settings: Increase the SYN queue size by adjusting the
net.core.somaxconnandnet.ipv4.tcp_max_syn_backlogsysctl parameters. Make sure to set these values according to your system's capacity and traffic requirements.Implement traffic filtering: Use traffic filtering techniques such as rate limiting, IP blocking, or firewall rules to mitigate the impact of SYN flood attacks.