Noticed that our incoming TLS connection queue was a little high – running at 60 concurrent connections for an hour or so.<\/p>\n
A check of the queue revealed that all the connections were coming from a single IP – and were tying up the queue, making it a denial of service attack. This one ip address was connecting and reconnecting multiple times, hogging up all the connections.
\n
\nI’ve blocked that ip address, and restarted the TLS service, its back at normal levels now.<\/p>\n
For the interested – <\/p>\n
Connections:<\/strong><\/p>\n mail:\/var\/log\/qmail\/qmail-tls# netstat -an –numeric-ports | grep 587 | grep 58.246.24.242 IP Owner:<\/strong><\/p>\n mail:\/var\/log\/qmail\/qmail-tls# whois 58.246.24.242<\/p>\n % [whois.apnic.net node-2] inetnum: 58.246.24.240 – 58.246.24.247 I’ve sent a note to China Unicom, but don’t expect any reply. A google of Ribiera Shanghai doesn’t reveal any obvious people to complain to either. <\/p>\n Yet another instance where I should put some active logging into the server to notify me when queue \/ connection sizes stay at high levels…<\/p>\n","protected":false},"excerpt":{"rendered":" Noticed that our incoming TLS connection queue was a little high – running at 60 concurrent connections for an hour or so. A check of the queue revealed that all the connections were coming from a single IP – and were tying up the queue, making it a denial of service attack. This one ip […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[91,25],"tags":[],"class_list":["post-330","post","type-post","status-publish","format-standard","hentry","category-service-issues","category-technical-mumbo-jumbo"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=330"}],"version-history":[{"count":2,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/330\/revisions"}],"predecessor-version":[{"id":332,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/330\/revisions\/332"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\ntcp 0 0 61.129.49.190:587 58.246.24.242:24384 ESTABLISHED
\ntcp 1 0 61.129.49.190:587 58.246.24.242:39581 CLOSE_WAIT
\ntcp 0 0 61.129.49.190:587 58.246.24.242:11625 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:42614 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:46630 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:20802 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:51956 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:4463 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:39878 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:43678 ESTABLISHED
\ntcp 1 0 61.129.49.190:587 58.246.24.242:39181 CLOSE_WAIT
\ntcp 0 0 61.129.49.190:587 58.246.24.242:62054 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:64421 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:24326 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:58740 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:25779 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:50209 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:41358 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:32383 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:27925 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:46540 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:7049 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:13999 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:62962 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:19771 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:43604 ESTABLISHED
\ntcp 1 0 61.129.49.190:587 58.246.24.242:38757 CLOSE_WAIT
\ntcp 0 0 61.129.49.190:587 58.246.24.242:39909 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:30470 ESTABLISHED
\ntcp 1 0 61.129.49.190:587 58.246.24.242:39754 CLOSE_WAIT
\ntcp 0 0 61.129.49.190:587 58.246.24.242:61393 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:52072 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:22294 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:60398 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:60530 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:36049 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:1426 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:40190 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:15402 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:23457 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:65187 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:39910 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:23181 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:3286 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:40540 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:12957 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:39829 ESTABLISHED
\ntcp 0 0 61.129.49.190:587 58.246.24.242:19748 ESTABLISHED<\/p><\/blockquote>\n
\n% Whois data copyright terms http:\/\/www.apnic.net\/db\/dbcopyright.html<\/p>\n
\nnetname: SH-Ribeira
\ncountry: cn
\ndescr: Ribeira (Shanghai) Business Consulting Co., Ltd.
\nadmin-c: YR194-AP
\ntech-c: YR194-AP
\nstatus: ASSIGNED NON-PORTABLE
\nchanged: sh-ipmaster@chinaunicom.cn 20081125
\nmnt-by: MAINT-CNCGROUP-SH
\nsource: APNIC<\/p><\/blockquote>\n