diff options
Diffstat (limited to 'health/health.d/tcp_listen.conf')
-rw-r--r-- | health/health.d/tcp_listen.conf | 100 |
1 files changed, 0 insertions, 100 deletions
diff --git a/health/health.d/tcp_listen.conf b/health/health.d/tcp_listen.conf deleted file mode 100644 index 9d1104a51..000000000 --- a/health/health.d/tcp_listen.conf +++ /dev/null @@ -1,100 +0,0 @@ -# -# There are two queues involved when incoming TCP connections are handled -# (both at the kernel): -# -# SYN queue -# The SYN queue tracks TCP handshakes until connections are fully established. -# It overflows when too many incoming TCP connection requests hang in the -# half-open state and the server is not configured to fall back to SYN cookies. -# Overflows are usually caused by SYN flood DoS attacks (i.e. someone sends -# lots of SYN packets and never completes the handshakes). -# -# Accept queue -# The accept queue holds fully established TCP connections waiting to be handled -# by the listening application. It overflows when the server application fails -# to accept new connections at the rate they are coming in. -# -# -# ----------------------------------------------------------------------------- -# tcp accept queue (at the kernel) - - alarm: 1m_tcp_accept_queue_overflows - on: ip.tcp_accept_queue - class: Workload - type: System -component: Network - os: linux - hosts: * - lookup: average -60s unaligned absolute of ListenOverflows - units: overflows - every: 10s - warn: $this > 1 - crit: $this > (($status == $CRITICAL) ? (1) : (5)) - delay: up 0 down 5m multiplier 1.5 max 1h - summary: System TCP accept queue overflows - info: Average number of overflows in the TCP accept queue over the last minute - to: silent - -# THIS IS TOO GENERIC -# CHECK: https://github.com/netdata/netdata/issues/3234#issuecomment-423935842 - alarm: 1m_tcp_accept_queue_drops - on: ip.tcp_accept_queue - class: Workload - type: System -component: Network - os: linux - hosts: * - lookup: average -60s unaligned absolute of ListenDrops - units: drops - every: 10s - warn: $this > 1 - crit: $this > (($status == $CRITICAL) ? (1) : (5)) - delay: up 0 down 5m multiplier 1.5 max 1h - summary: System TCP accept queue dropped packets - info: Average number of dropped packets in the TCP accept queue over the last minute - to: silent - - -# ----------------------------------------------------------------------------- -# tcp SYN queue (at the kernel) - -# When the SYN queue is full, either TcpExtTCPReqQFullDoCookies or -# TcpExtTCPReqQFullDrop is incremented, depending on whether SYN cookies are -# enabled or not. In both cases this probably indicates a SYN flood attack, -# so i guess a notification should be sent. - - alarm: 1m_tcp_syn_queue_drops - on: ip.tcp_syn_queue - class: Workload - type: System -component: Network - os: linux - hosts: * - lookup: average -60s unaligned absolute of TCPReqQFullDrop - units: drops - every: 10s - warn: $this > 1 - crit: $this > (($status == $CRITICAL) ? (0) : (5)) - delay: up 10 down 5m multiplier 1.5 max 1h - summary: System TCP SYN queue drops - info: Average number of SYN requests was dropped due to the full TCP SYN queue over the last minute \ - (SYN cookies were not enabled) - to: silent - - alarm: 1m_tcp_syn_queue_cookies - on: ip.tcp_syn_queue - class: Workload - type: System -component: Network - os: linux - hosts: * - lookup: average -60s unaligned absolute of TCPReqQFullDoCookies - units: cookies - every: 10s - warn: $this > 1 - crit: $this > (($status == $CRITICAL) ? (0) : (5)) - delay: up 10 down 5m multiplier 1.5 max 1h - summary: System TCP SYN queue cookies - info: Average number of sent SYN cookies due to the full TCP SYN queue over the last minute - to: silent - |