From: Carlos Sevillano (carlos_sevillano@ureach.com)
Date: Tue May 04 2004 - 23:13:19 EDT
Solaris 8
RICHPse
TCP Stack Retrans errors.
The system is a back-end for an Internet Application/Portal:
Weblogic (15 intances/apps)
Java JDK
Webservers (with hooks to DMZ and external Internet clients)
Communication to Internal Network Oracke and MQ systems.
One NIC card (100/Full-Duplex no packet errors).
I have a system that shows TCP stack re-trans bytes and
retransmissions rates of 0.11%.
What can I tune or change to try and lower these?
Are they a real concern?
Do I have a security problem?
On netstat -in, netstat -k I don't see any network problems.
SUN and snoops did not reveal any problems on the machine. The
network folks and sniffers took in too much data and no one can
makes heads or tails of it. However, one tool shows TCP stack
problems. The RICHPse shows these errors:
red Incoming connections refused: port scanner (Satan?) attack
CP segment retransmission rate : 0.11 % (on machines
without this problem this metric is .04% or less)
TCP measures Rate/s
Input bytes 174813.59
Output bytes 174480.24
Input segments 369.28
Output segments 401.50
Retrans bytes 7031.16
Retrans percent 4.03
Duplicate bytes 0.00
Duplicate percent 0.00
Active Opens (connects) 2.48
Attempt Fails 0.00
Passive Opens (accepts) 9.91
RSTs generated 4.96
Listen Drops 0.00
Listen Drops (from Q0) 0.00
Half Open Drops 0.00
TCP RULE THRESHOLDS
TCP_ACTIVE default= 2.0KB/s getenv= 2.0KB/s ignore if no
output activity
TCP_RETRANS_WARN default=15.0% getenv=15.0% moderate
retransmissions
TCP_RETRANS_PROBLEM default=25.0% getenv=25.0% excessive
retransmissions
TCP_LISTEN_WARN default=0.00/s getenv=0.00/s look out for
listen drops
TCP_LISTEN_PROBLEM default=0.50/s getenv=0.50/s excessive
listen drops
TCP_HALFOPEN_PROBLEM default=2.00/s getenv=2.00/s excessive
dubious SYNs
TCP_RST_WARN default=0.50/s getenv=0.50/s moderate RSTs
generated
TCP_RST_PROBLEM default=2.00/s getenv=2.00/s excessive RSTs
generated
TCP_ATTEMPT_FAILS default=2.00/s getenv=2.00/s excessive
connect failures
TCP_DUP_WARN default=15.0% getenv=15.0% moderate dups
(remote retran)
TCP_DUP_PROBLEM default=25.0% getenv=25.0% excessive dups
(remote retran)
This is typical of this machine. Users have intermittent
time-out isuess and I want to know if the values above can have
something to do with it?!
Because it warns of possible port scanners we ran Santa against
the machine and got these warnings (snoop scans on these ports
showed no activity 73, 586, 1299, 1024, and 906):
system1.corp.com|73:TCP|a|||||offers 73:TCP
system1.corp.com|backdoor|a|ht|ANY@system1.corp.com|ANY@system1.corp.com|distributed
denial of service|Possible mstream handler detected
system1.corp.com|586/TCP|a|g||||586/TCP
system1.corp.com|backdoor|a|ht|ANY@system1.corp.com|ANY@system1.corp.com|distributed
denial of service|Possible stacheldraht handler detected
system1.corp.com|1299/TCP|a|g||||1299/TCP
system1.corp.com|backdoor|a|zcio|ANY@system1.corp.com|ANY@system1.corp.com|Vulnerability
Exploits|Possible backdoor: ingreslock
system1.corp.com|1025/TCP|a|g||||1025/TCP
system1.corp.com|backdoor|a|ht|ANY@system1.corp.com|ANY@system1.corp.com|distributed
denial of service|Possible trinoo master detected
system1.corp.com|906:TCP|a|||||offers 906:TCP
system1.corp.com|backdoor|a|ht|ANY@system1.corp.com|ANY@system1.corp.com|distributed
denial of service|Possible shaft handler detected
Any thoughs or help is/are appreciated.
Carlos
________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:36 EDT