nanog mailing list archives

Re: TCP time_wait and port exhaustion for servers

From: Mark Andrews <marka () isc org>
Date: Thu, 06 Dec 2012 11:49:09 +1100


In message <201212052325.qB5NPrZe005631 () xs8 xs4all nl>, "Miquel van Smoorenburg"
 writes:

In article <xs4all.20121205220127.7F6F12CA0F17 () drugs dv isc org> you write:


In message <CAP-guGW6oXo=UfTfg+SDiFjB4=qxPShO+YfK6vxnLkCC58PvgQ () mail gmail co

m>,

William Herrin writes:

The thing is, Linux doesn't behave quite that way.

If you do an anonymous connect(), that is you socket() and then
connect() without a bind() in the middle, then the limit applies *per
destination IP:port pair*. So, you should be able to do 30,000
connections to 192.168.1.1 port 80, another 30,000 connections to
192.168.1.2 port 80, and so on.


The socket api is missing a bind + connect call which restricts the
source address when making the connect.  This is needed when you
are required to use a fixed source address.


William was talking about the destination address. Linux (and I would
hope any other network stack) can really open a million connections
from one source address, as long as it's not to one destination address
but to lots of different ones. It's not the (srcip,srcport) tuple that
needs to be unique; it's the (srcip,srcport,dstip,dstport) tuple.

Anyway, you can actually bind to a source address and still have a
dynamic source port; just use port 0. Lots of tools do this.

(for example, strace nc -s 127.0.0.2 127.0.0.1 22 and see what it does)

Mike.


Eventually the bind call fails.  Below was a 

counter: dest address in hex

16376: 1a003ff9
16377: 1a003ffa
bind: before bind: Can't assign requested address
16378: 1a003ffb
connect: Can't assign requested address
bind: before bind: Can't assign requested address

and if you remove the bind() the connect fails

16378: 1a003ffb
16379: 1a003ffc
connect: Can't assign requested address
16380: 1a003ffd

this is with a simple loop

        socket()
        ioctl(FIONBIO)
        bind(addr++:80)
        connect()

I had a firewall dropping the connection attempts

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Re: TCP time_wait and port exhaustion for servers, (continued)
- - - Re: TCP time_wait and port exhaustion for servers joel jaeggli (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers William Herrin (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers Owen DeLong (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers William Herrin (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers Mark Andrews (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers William Herrin (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers Mark Andrews (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 06)
    - Re: TCP time_wait and port exhaustion for servers Miquel van Smoorenburg (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers Mark Andrews (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers Mark Andrews (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers William Herrin (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers Jon Lewis (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers Fred Baker (fred) (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers David Conrad (Dec 05)
    - RE: TCP time_wait and port exhaustion for servers Terry Baranski (Dec 05)
    - Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Owen DeLong (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Cyril Bouthors (Dec 05)
  - Re: TCP time_wait and port exhaustion for servers Jon Lewis (Dec 05)

(Thread continues...)