what does "possible SYN flooding on port 8009. Sending cookies" mean in /var/log/messages?

taras picture taras · Nov 13, 2010 · Viewed 8.9k times · Source

I have a web application setup apache+mod_jk+tomcat(connector for mod_jk on 8009 port). Recently my app started to hang few times a day and in /var/logs/messages there are entries like "possible SYN flooding on port 8009. Sending cookies" with 30-60 seconds. I have to restart each time when the app hangs.

Is it DDOS attack ? or system/application errors can cause this problem ?

Any help would be highly appreciated.

Thanks.

Answer

Konerak picture Konerak · Nov 13, 2010

This article about tcp_syncookies might help explain the problem.

Someone or something is sending SYN packets to your application. It might be a legit client that does not receive the ACK cookie (is your application working?), or it might be someone malevolent (is it distributed or not).