Why are there many invalid addresses in netstat's response?

A

ancalled2013-11-15 14:38:09

linux

ancalled, 2013-11-15 14:38:09

The production server has a java application that accepts tcp connections. At some point, they began to notice that new connections to the server could not be established, while already connected users normally work with the service. The situation continues for a week or two, does not occur constantly. From suspicious, netstat gives a bunch of 'invalid addresses' at the time when the server does not allow connections.
We tried to transfer the service to another server and another distribution kit, the situation did not change. A similar service deployed for a different audience does not suffer from such problems.
How can you understand if this is a spoof or some kind of ddos, or just problems with the service?
> uname -a
Linux xxx.xxx.xxx 2.6.32-18-pve #1 SMP Mon Jan 21 12:09:05 CET 2013 x86_64 x86_64 x86_64 GNU/Linux
> cat /etc/issue
CentOS release 6.4 (Final)
Kernel \r on an \m
> nestat -s
Ip:
34710709 total packets received
189 with invalid headers
272868 with invalid addresses
0 forwarded
0 incoming packets discarded
34251161 incoming packets delivered
24456227 requests sent out

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Sergey, 2013-11-15
@bondbig

Very similar to spoofed requests. It's pretty hard to check, actually. If changing the server did not help and these requests do not eat up a lot of resources, then you can simply ignore them, because by default such packets are dropped.

K

ki10bit, 2013-11-15
@ki10bit

If at the moment of the problem you try to run tcpdump on the application port in one console, in another strace on the application, and in the third try to establish a connection from the server on which this application is launched, what happens in the logs?