Date: Tue, 13 Oct 2009 11:39:48 -0700 From: Chuck Swiger <cswiger@mac.com> To: Martin Turgeon <freebsd@optiksecurite.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: How can I get >100 connections in FIN_WAIT_2 state from the same IP? Message-ID: <B20ABCEA-21D4-47D6-8465-1C82D3F4EAA3@mac.com> In-Reply-To: <4AD4B9EA.5070304@optiksecurite.com> References: <4AD4B9EA.5070304@optiksecurite.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 13, 2009, at 10:33 AM, Martin Turgeon wrote: > I would like to know if anyone knows the reason why I get a lot of > connections (more than 100) from the same IP in FIN_WAIT_2 state. That IP is probably running a web proxy or possibly some kind of spider. It could also be malicious, trying to exploit webserver vulnerabilities, etc-- search your logs for that IP and see what it is doing. > In this case the connections are on port 80. Is it a problem with the > client's browser or OS? Is it possible that some mobile devices > doesn't > close their connections correctly to save bandwidth and battery? Yes, it's not uncommon for various platforms to simply drop connections rather than closing them properly. You can run tcpdrop to forcibly get rid of them, but they should time out within a few minutes anyway. If you believe the remote IP is being abusive, consider firewalling it.... Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B20ABCEA-21D4-47D6-8465-1C82D3F4EAA3>