Syslog: Kernel TCP: Too many orphaned sockets - tor-relays - lists.torproject.org

newer
Got a visit from the police this...

Syslog: Kernel TCP: Too many orphaned sockets

older
Any security tips on running a...

Tristan

2 Aug 2016 2 Aug '16

12:40 a.m.

I looked at my exit relay's syslog for no specific reason, and saw that it was flooded with the following message: kernel: [1736405.162223] TCP: too many orphaned sockets These messages occur multiple times per second, but they only flood the log every couple of hours. What is this, and what does it mean? -- Finding information, passing it along. ～SuperSluether

Attachments:

attachment.html (text/html — 497 bytes)

Reply

Sign in to reply online Use email software

Show replies by date

Green Dream

2 Aug 2 Aug

1:04 a.m.

It's related to /proc/sys/net/ipv4/tcp_max_orphans "Maximal number of TCP sockets not attached to any user file handle, held by system. If this number is exceeded orphaned connections are reset immediately and warning is printed." So, I'd start by checking the value of tcp_max_orphans (with "cat /proc/sys/net/ipv4/tcp_max_orphans"). The widely distributed sysctl.conf tweaks for Linux relays suggests a value of 262144. I think the default in many distros may be 4096, perhaps too low for an Exit. Some references: https://serverfault.com/questions/624911/what-does-tcp-too-many-orphaned-soc... https://raw.githubusercontent.com/torservers/server-config-templates/master/... If you need help making the sysctl tweaks let me know.

Reply

Sign in to reply online Use email software

Tristan

2:12 a.m.

My default setting was 2048. I changed it to 200,000 for now. I haven't really played with sysctl at all. The only change I've ever made in there was for swappiness. On Mon, Aug 1, 2016 at 8:04 PM, Green Dream <greendream848@gmail.com> wrote:

-- Finding information, passing it along. ～SuperSluether

Reply

Sign in to reply online Use email software

Christian Pietsch

5 Aug 5 Aug

3:40 p.m.

The exit relay we (Digitalcourage) run gets this warning a lot, but it started only recently. I guess it is related to the DDoS attacks (syn flood) we get lately. Debian seems to set /proc/sys/net/ipv4/tcp_max_orphans automatically so that up to a quarter of the installed amount of RAM is used for this. (“Let me remind you again: each orphan eats up to 64K of unswappable memory” – https://serverfault.com/questions/624911/what-does-tcp-too-many-orphaned-soc...) So 262,144 value in Torservers' config will eat up to 16 GiB. I am not sure if overriding Debian's setting is a good idea. Any advice? Is this warning more than an annoyance? Cheers, Christian On Mon, Aug 01, 2016 at 09:12:12PM -0500, Tristan wrote:

-- Digitalcourage e.V., Marktstr. 18, D-33602 Bielefeld, Germany Tel: +49-521-1639 1639 | Fax: +49-521-61172 | mail@digitalcourage.de https://digitalcourage.de | https://bigbrotherawards.de Vorratsdatenspeicherung? Nicht schon wieder! Unterstützen Sie unsere Verfassungsbeschwerde: https://digitalcourage.de/weg-mit-vds

Reply

Sign in to reply online Use email software

Tristan

3:46 p.m.

Well, since changing the setting from 2048 to 200,000, my exit is still running fine, and I'm not seeing a drastic increase in RAM usage. You said each orphan can use up to 64K of memory. Maybe "up to" is the magic phrase? On Aug 5, 2016 10:42 AM, "Christian Pietsch" < christian.pietsch@digitalcourage.de> wrote:

The exit relay we (Digitalcourage) run gets this warning a lot, but it started only recently. I guess it is related to the DDoS attacks (syn flood) we get lately.

Debian seems to set /proc/sys/net/ipv4/tcp_max_orphans automatically so that up to a quarter of the installed amount of RAM is used for this. (“Let me remind you again: each orphan eats up to 64K of unswappable memory” – https://serverfault.com/questions/624911/what-does- tcp-too-many-orphaned-sockets-mean)

So 262,144 value in Torservers' config will eat up to 16 GiB. I am not sure if overriding Debian's setting is a good idea. Any advice? Is this warning more than an annoyance?

Cheers, Christian

On Mon, Aug 01, 2016 at 09:12:12PM -0500, Tristan wrote:

...
My default setting was 2048. I changed it to 200,000 for now. I haven't really played with sysctl at all. The only change I've ever made in there was for swappiness.

On Mon, Aug 1, 2016 at 8:04 PM, Green Dream <greendream848@gmail.com> wrote:

...
It's related to /proc/sys/net/ipv4/tcp_max_orphans

"Maximal number of TCP sockets not attached to any user file handle, held by system. If this number is exceeded orphaned connections are reset immediately and warning is printed."

So, I'd start by checking the value of tcp_max_orphans (with "cat /proc/sys/net/ipv4/tcp_max_orphans"). The widely distributed sysctl.conf tweaks for Linux relays suggests a value of 262144. I think the default in many distros may be 4096, perhaps too low for an Exit.

Some references:

https://serverfault.com/questions/624911/what-does- tcp-too-many-orphaned-sockets-mean

https://raw.githubusercontent.com/torservers/server-config- templates/master/sysctl.conf

If you need help making the sysctl tweaks let me know.

_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- Digitalcourage e.V., Marktstr. 18, D-33602 Bielefeld, Germany Tel: +49-521-1639 1639 | Fax: +49-521-61172 | mail@digitalcourage.de https://digitalcourage.de | https://bigbrotherawards.de

Vorratsdatenspeicherung? Nicht schon wieder! Unterstützen Sie unsere Verfassungsbeschwerde: https://digitalcourage.de/weg-mit-vds

_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Reply

Sign in to reply online Use email software

3219

Age (days ago)

3222

Last active (days ago)

Download

4 comments

3 participants

tags

participants (3)

Christian Pietsch
Green Dream
Tristan