TCP time_wait and port exhaustion for servers

Mark Andrews marka at isc.org
Thu Dec 6 00:49:09 UTC 2012


In message <201212052325.qB5NPrZe005631 at xs8.xs4all.nl>, "Miquel van Smoorenburg"
 writes:
> In article <xs4all.20121205220127.7F6F12CA0F17 at drugs.dv.isc.org> you write:
> >
> >In message <CAP-guGW6oXo=UfTfg+SDiFjB4=qxPShO+YfK6vxnLkCC58PvgQ at mail.gmail.co
> m>,
> > William Herrin writes:
> >> The thing is, Linux doesn't behave quite that way.
> >> 
> >> If you do an anonymous connect(), that is you socket() and then
> >> connect() without a bind() in the middle, then the limit applies *per
> >> destination IP:port pair*. So, you should be able to do 30,000
> >> connections to 192.168.1.1 port 80, another 30,000 connections to
> >> 192.168.1.2 port 80, and so on.
> >
> >The socket api is missing a bind + connect call which restricts the
> >source address when making the connect.  This is needed when you
> >are required to use a fixed source address.
> 
> William was talking about the destination address. Linux (and I would
> hope any other network stack) can really open a million connections
> from one source address, as long as it's not to one destination address
> but to lots of different ones. It's not the (srcip,srcport) tuple that
> needs to be unique; it's the (srcip,srcport,dstip,dstport) tuple.
> 
> Anyway, you can actually bind to a source address and still have a
> dynamic source port; just use port 0. Lots of tools do this.
> 
> (for example, strace nc -s 127.0.0.2 127.0.0.1 22 and see what it does)
> 
> Mike.

Eventually the bind call fails.  Below was a 

counter: dest address in hex

16376: 1a003ff9
16377: 1a003ffa
bind: before bind: Can't assign requested address
16378: 1a003ffb
connect: Can't assign requested address
bind: before bind: Can't assign requested address

and if you remove the bind() the connect fails

16378: 1a003ffb
16379: 1a003ffc
connect: Can't assign requested address
16380: 1a003ffd

this is with a simple loop

	socket()
	ioctl(FIONBIO)
	bind(addr++:80)
	connect()

I had a firewall dropping the connection attempts

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the NANOG mailing list