1. The customer's staff describes that the recent forum always has problems, and the phenomenon of the problem cannot access the website through IE. At that time, the system was found through the Telnet connection. The system was basically normal (CPU TOP, memory Top, process PS, port netstat), but the web page could not be accessed.
2, connect to their server (through telnet), still check the system status through the top / ps / netstat command. Checking the CPU void (IDEL) through the TOP command, the memory is occupied by about 500M (a total of 2G), which is more normal. Checking the Java process called Tomcat calls through the PS command, which is also normal. When checking through the netstat -an command (there are some close_wait and establish this is normal), there are about more than 60 SYN_RECV status, and after a while, this state is still increasing. .
At this time, I went to the Internet to check, http://weblog.dalouis.com/archives/2004/09/ae_syn_recv_cae.html Excuse the author's appearance of the author appeared and I was unable to access, and there is a lot SYN_RECV port status. The author describes this should be a network attack called Syn Flood (whitening is a kind of refusal to access the attack).
The author's handling method is to resolve the concluding Web service and the IPTables firewall rule, please refer to the URL above.
