[TriLUG] Can't open socket
Aaron Joyner
aaron at joyner.ws
Fri May 24 09:58:57 EDT 2013
What does the output of 'netstat' look when it's saying "can't open
socket"? If you're running an awful lot of connections to recaptcha.net,
you might be running into an issue with reusing sockets (google and read
around about TIME_WAIT, SO_REUSEADDR and SO_REUSEPORT). This would show up
as a lot of sockets in state TIME_WAIT. Given that recaptcha.net resolves
to >6 addresses for me, I find it unlikely you're running into a TIME_WAIT
problem, but it's worth looking at.
If you're seeing a spammer hitting your box (which this is sounding more
and more likely), and he's tripping over your captcha, then he might load a
page which is causing you to leave a hanging connection recaptcha for some
timeout period, and he's exhausting your ability to create new ports to
recaptcha that way. It'd take an awful lot of connections (your 1 source
ip * 6 destination recaptcha IPs * ~64000 ports per <timeout period>). If
your timeout period is order 5m, that's a quite reasonable possibility.
You could dial down the timeout and you might be able to simply absorb the
DoS, but I think you'd do better to look at the query logs to see who's
generating the largest amount of traffic to your sites, and look for
suspicious patterns.
G'luck,
Aaron S. Joyner
PS - In case it wasn't obvious, the DoS query load large enough trigger
port exhaustion demonstrated by the math above is also equally likely to
cause the rest of your box to be resource starved, leading to the MySQL
performance problems you were seeing in the other thread.
On Fri, May 24, 2013 at 9:38 AM, Brian McCullough <bdmc at buadh-brath.com>wrote:
> I have just recently had an issue appear on a machine that has been
> running, untouched, for multiple years. ( the code in question for
> between three and four, the server for almost two between reboots )
>
>
> Now, without any apparent cause, it is saying "can't open socket," or
> words to that effect, when it tries to contact recaptcha.net. I also
> tried changing the address to the new Google one, with the same result.
>
> I tried increasing the socket range in /proc, with no effect.
>
>
> This is a CentOS 5.6 machine, with MySQL 5.0.77 and Apache 2.2.3, if
> that matters.
>
>
> Suggestions?
>
>
> Thanks,
> Brian
>
>
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> TriLUG FAQ :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
> TriLUG is dedicated to a harassment-free experience for everyone. Our
> anti-harassment policy can be found at: http://trilug.org/anti-harassment
>
More information about the TriLUG
mailing list