Situation

[aurel22]

Hello,
I have on a dedicated server freebsd 11.1 operating system and when i write dmesg i get this error:
sonewconn: pcb 0xfffffe0095acfab8: Listen queue overflow: 193 already in queue awaiting acceptance
sonewconn: pcb 0xfffffe0095acfab8: Listen queue overflow: 193 already in queue awaiting acceptance
sonewconn: pcb 0xfffffe0095acfab8: Listen queue overflow: 193 already in queue awaiting acceptance
sonewconn: pcb 0xfffffe0095acfab8: Listen queue overflow: 193 already in queue awaiting acceptance
I have lan interface i210 and when the server hosted on it is attacked,this messages occur.
Can you help me with an advice?
Thank!

 

[VladiBG]

First update your FreeBSD version to 11.2
Do you have firewall to limit the concurrent connections per ip?

 

[aurel22]

Yes i update it ,is 11.2 with latest updates and a have firewall active.

 

[VladiBG]

Check which service/port is getting this overflow with
netstat -Aan | grep 0xfffffe0095acfab8

Then check why this service is processing those new connections slow (service concurrent conn limit / storage/ cpu ... etc. ) which cause the new connection to get queued and/or try to limit the simultaneous connection per ip with your firewall if you believe that this is some DDoS attack.

You can also check the current listen queues with
netstat -Lan

 

[aurel22]

I use for firewall ipfw and pf for firewall.
That attack it came on game server login port.
When i input netstat -Lan result:
tcp4 192/0/128 xxx.xxx.xxx.xxx.11002
Pf blocks that ip's (call spoofed ip's) but are to many an players can not login on to server.
Pf rules are:

pass in inet proto icmp all icmp-type echoreq

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state \
(max-src-conn 40, max-src-conn-rate 20/5, overload <abusive_hosts> flush)

pass in on $ext_if proto tcp to any port 11002 flags S/SA synproxy state \
(max-src-conn-rate 3/30, overload <abusive_hosts> flush)

pass in on $ext_if proto tcp to any port $game_ports flags S/SA synproxy state \
(max-src-conn 40, max-src-conn-rate 25/5, overload <abusive_hosts> flush)

pass in on $ext_if proto udp to any port $game_ports keep state \
(max-src-conn 40, max-src-conn-rate 25/5, overload <abusive_hosts> flush)

We have and firewall on,ipfw,where we let just necessary ports open and udp is off.
Thanks!

 

[VladiBG]

If the abuse host is from the same ip range you can block it instead of trying to limit it's connections. You can check the connection with pfctl -s states

 

[Crivens]

What game is that, if I may ask?

 

[VladiBG]

You can guess it by the port number

 

[Crivens]

Yes, and that is why this thread stops here.
Please READ the stick threads about Metin!