Adding upstream version 1.44.3.upstream/1.44.3upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 100 insertions, 0 deletions

diff --git a/health/health.d/tcp_listen.conf b/health/health.d/tcp_listen.conf
new file mode 100644
index 00000000..9d1104a5
--- /dev/null
+++ b/health/health.d/tcp_listen.conf
@@ -0,0 +1,100 @@
+#
+# There are two queues involved when incoming TCP connections are handled
+# (both at the kernel):
+#
+# SYN queue
+# The SYN queue tracks TCP handshakes until connections are fully established.
+# It overflows when too many incoming TCP connection requests hang in the
+# half-open state and the server is not configured to fall back to SYN cookies.
+# Overflows are usually caused by SYN flood DoS attacks (i.e. someone sends
+# lots of SYN packets and never completes the handshakes).
+#
+# Accept queue
+# The accept queue holds fully established TCP connections waiting to be handled
+# by the listening application. It overflows when the server application fails
+# to accept new connections at the rate they are coming in.
+#
+#
+# -----------------------------------------------------------------------------
+# tcp accept queue (at the kernel)
+
+    alarm: 1m_tcp_accept_queue_overflows
+       on: ip.tcp_accept_queue
+    class: Workload
+     type: System
+component: Network
+       os: linux
+    hosts: *
+   lookup: average -60s unaligned absolute of ListenOverflows
+    units: overflows
+    every: 10s
+     warn: $this > 1
+     crit: $this > (($status == $CRITICAL) ? (1) : (5))
+    delay: up 0 down 5m multiplier 1.5 max 1h
+  summary: System TCP accept queue overflows
+     info: Average number of overflows in the TCP accept queue over the last minute
+       to: silent
+
+# THIS IS TOO GENERIC
+# CHECK: https://github.com/netdata/netdata/issues/3234#issuecomment-423935842
+    alarm: 1m_tcp_accept_queue_drops
+       on: ip.tcp_accept_queue
+    class: Workload
+     type: System
+component: Network
+       os: linux
+    hosts: *
+   lookup: average -60s unaligned absolute of ListenDrops
+    units: drops
+    every: 10s
+     warn: $this > 1
+     crit: $this > (($status == $CRITICAL) ? (1) : (5))
+    delay: up 0 down 5m multiplier 1.5 max 1h
+  summary: System TCP accept queue dropped packets
+     info: Average number of dropped packets in the TCP accept queue over the last minute
+       to: silent
+
+
+# -----------------------------------------------------------------------------
+# tcp SYN queue (at the kernel)
+
+# When the SYN queue is full, either TcpExtTCPReqQFullDoCookies or
+# TcpExtTCPReqQFullDrop is incremented, depending on whether SYN cookies are
+# enabled or not. In both cases this probably indicates a SYN flood attack,
+# so i guess a notification should be sent.
+
+    alarm: 1m_tcp_syn_queue_drops
+       on: ip.tcp_syn_queue
+    class: Workload
+     type: System
+component: Network
+       os: linux
+    hosts: *
+   lookup: average -60s unaligned absolute of TCPReqQFullDrop
+    units: drops
+    every: 10s
+     warn: $this > 1
+     crit: $this > (($status == $CRITICAL) ? (0) : (5))
+    delay: up 10 down 5m multiplier 1.5 max 1h
+  summary: System  TCP SYN queue drops
+     info: Average number of SYN requests was dropped due to the full TCP SYN queue over the last minute \
+           (SYN cookies were not enabled)
+       to: silent
+
+    alarm: 1m_tcp_syn_queue_cookies
+       on: ip.tcp_syn_queue
+    class: Workload
+     type: System
+component: Network
+       os: linux
+    hosts: *
+   lookup: average -60s unaligned absolute of TCPReqQFullDoCookies
+    units: cookies
+    every: 10s
+     warn: $this > 1
+     crit: $this > (($status == $CRITICAL) ? (0) : (5))
+    delay: up 10 down 5m multiplier 1.5 max 1h
+  summary: System TCP SYN queue cookies
+     info: Average number of sent SYN cookies due to the full TCP SYN queue over the last minute
+       to: silent
+