Re: How to diagnose "Limiting closed port RST response from 213 to 205 packets/sec" ?

Reply: Pete French : "Re: How to diagnose "Limiting closed port RST response from 213 to 205 packets/sec" ?"
In reply to: Pete French : "How to diagnose "Limiting closed port RST response from 213 to 205 packets/sec" ?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Chris <bsd-lists_at_bsdforge.com>
Date: Sun, 01 Sep 2024 08:32:25 UTC

On 2024-08-31 07:32, Pete French wrote:
> So I am running some servers with 14.1-STABLE, pretty standard - Apache + 
> mysql
> setup, and I am seeing a lot of the above messages. I have always seen these 
> form
> time to time, but recently I have had compmnaits from a customer about the
> webservers being unavailable, and the times they give correspond to bursts 
> of
> these errors.
> 
> I dont see any other errors, and am wondering how to get more info about 
> this
> message. Knowing if its IPv4 or IPv6 would be nice. Knowing the port that is
> closed would be ideal. I have a feeling that the closed port is the one 
> which
> Apaxche is suppsoed to be listenin gon (I cant think of nay other ports 
> which
> would get hammered), but that should never be closed.
Check the www logs against the same times you're seeing these in messages. 
Bad bots
"search engines" will often flood your server(s). It can also be the result 
of local
scripts making massive queries outbound (a script running on a [local] 
customer web
server?). Lastly, someone pounding on your box either directly, or by way of 
deflected
queries (harder to track). Some ways to track; check all your other logs 
against the same
times those messages show up in messages. Crank up verbosity in logs. Lastly; 
you might
be able to better ferret some additional clues in sysctl.conf(5) by tweaking 
the
net.inet.tcp.log_in_vain setting; from tcp(4):

log_in_vain
     Log any connection attempts to ports where there
     is  no  socket accepting connections.  The value
     of 1 limits the logging to SYN  (connection
     establishment) packets only.  A value of 2 results
     in any TCP packets to closed ports being logged.
     Any  value not listed above disables the logging
     (default is 0, i.e., the logging is disabled).
Warning, you'll see a good number of entries many (most) are 
innocent/harmless. You'll
of course only be interested in those corresponding with the messages you're 
receiving.
You'll probably only want to use this during the periods your concerned with. 
As this
is a pretty noisy log.

I see these messages all the time, and managed to track the offending IP 
using at least
one of the above. I run pf(4). So add the offending IP to a block table, and 
am never
forced to deal with them again. :)

HTH

--Chris

> 
> Any advice ?
> 
> -pete.