How can I get >100 connections in FIN_WAIT_2 state from the
same IP?
Michael Powell
nightrecon at hotmail.com
Tue Oct 13 21:51:35 UTC 2009
Chuck Swiger wrote:
> On Oct 13, 2009, at 10:33 AM, Martin Turgeon wrote:
>> I would like to know if anyone knows the reason why I get a lot of
>> connections (more than 100) from the same IP in FIN_WAIT_2 state.
>
> That IP is probably running a web proxy or possibly some kind of
> spider. It could also be malicious, trying to exploit webserver
> vulnerabilities, etc-- search your logs for that IP and see what it is
> doing.
>
>> In this case the connections are on port 80. Is it a problem with the
>> client's browser or OS? Is it possible that some mobile devices
>> doesn't
>> close their connections correctly to save bandwidth and battery?
>
> Yes, it's not uncommon for various platforms to simply drop
> connections rather than closing them properly. You can run tcpdrop to
> forcibly get rid of them, but they should time out within a few
> minutes anyway. If you believe the remote IP is being abusive,
> consider firewalling it....
>
This is also common from the differences in TCP/IP stacks across various
platforms. Windows, Linux, Solaris, etc are all slightly different in this
regard.
If you're running a web server you can set the following in /etc/sysctl.conf
in an attempt to mitigate. Don't know if the timeout period can be altered.
net.inet.tcp.fast_finwait2_recycle=1
This won't stop it from happening but it will trim the pool down some.
-Mike
More information about the freebsd-questions
mailing list