blob: dad462ebf1075349044fdcabdc63b361bf7a773f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
#
# There are two queues involved when incoming TCP connections are handled
# (both at the kernel):
#
# SYN queue
# The SYN queue tracks TCP handshakes until connections are fully established.
# It overflows when too many incoming TCP connection requests hang in the
# half-open state and the server is not configured to fall back to SYN cookies.
# Overflows are usually caused by SYN flood DoS attacks (i.e. someone sends
# lots of SYN packets and never completes the handshakes).
#
# Accept queue
# The accept queue holds fully established TCP connections waiting to be handled
# by the listening application. It overflows when the server application fails
# to accept new connections at the rate they are coming in.
#
#
# -----------------------------------------------------------------------------
# tcp accept queue (at the kernel)
alarm: 1m_tcp_accept_queue_overflows
on: ip.tcp_accept_queue
os: linux
hosts: *
lookup: average -60s unaligned absolute of ListenOverflows
units: overflows
every: 10s
warn: $this > 1
crit: $this > (($status == $CRITICAL) ? (1) : (5))
delay: up 0 down 5m multiplier 1.5 max 1h
info: average number of overflows in the TCP accept queue over the last minute
to: sysadmin
# THIS IS TOO GENERIC
# CHECK: https://github.com/netdata/netdata/issues/3234#issuecomment-423935842
alarm: 1m_tcp_accept_queue_drops
on: ip.tcp_accept_queue
os: linux
hosts: *
lookup: average -60s unaligned absolute of ListenDrops
units: drops
every: 10s
warn: $this > 1
crit: $this > (($status == $CRITICAL) ? (1) : (5))
delay: up 0 down 5m multiplier 1.5 max 1h
info: average number of dropped packets in the TCP accept queue over the last minute
to: sysadmin
# -----------------------------------------------------------------------------
# tcp SYN queue (at the kernel)
# When the SYN queue is full, either TcpExtTCPReqQFullDoCookies or
# TcpExtTCPReqQFullDrop is incremented, depending on whether SYN cookies are
# enabled or not. In both cases this probably indicates a SYN flood attack,
# so i guess a notification should be sent.
alarm: 1m_tcp_syn_queue_drops
on: ip.tcp_syn_queue
os: linux
hosts: *
lookup: average -60s unaligned absolute of TCPReqQFullDrop
units: drops
every: 10s
warn: $this > 1
crit: $this > (($status == $CRITICAL) ? (0) : (5))
delay: up 10 down 5m multiplier 1.5 max 1h
info: average number of SYN requests was dropped due to the full TCP SYN queue over the last minute \
(SYN cookies were not enabled)
to: sysadmin
alarm: 1m_tcp_syn_queue_cookies
on: ip.tcp_syn_queue
os: linux
hosts: *
lookup: average -60s unaligned absolute of TCPReqQFullDoCookies
units: cookies
every: 10s
warn: $this > 1
crit: $this > (($status == $CRITICAL) ? (0) : (5))
delay: up 10 down 5m multiplier 1.5 max 1h
info: average number of sent SYN cookies due to the full TCP SYN queue over the last minute
to: sysadmin
|
