first please accept my excuse but i wanted to know wether my apache maybe not optimized as far as i am sure thatt i have config it properly
it has resolved it by banning the sync ips that had more than 3 sample of those ips
but i am afraid these ips are real clients or not
one of my friends told me that one of them that i checked seems to be client ip addres
i have blocked the following
greetings,
it's quite alright, i just wanted to let you know that it's most efficient for us to be able to get the entire picture, especially if an issue has been discussed previously with other analysts.
It should be noted that syn_recv itself will occur with any connection to apache -- it's the syns that don't complete in a timely fashion that appear suspicious.
Here's a bash command you may find useful. It will list all ip addresses that are connecting to the server, but haven't completed a syn in 5 seconds:
(netstat -an | grep syn_recv; sleep 5; netstat -an | grep syn_recv) | awk '{print $5}' | sort | uniq -c | sort -n | awk '$1 > 1 { print $2 }' | awk -f: '{print $1}' | sort | uniq
the ip addresses may not be doing anything malicious, but it's worth investigating if you continue to see any issues. I don't see the current maxclients setting as being involved in any issues, but then again, i haven't seen this issue occur in real-time. It might be helpful if you re-open this ticket the next time that apache is completely down, and let us investigate the issue as it's happening.