如何检查 Linux 上哪个进程正在泛滥 TCP SYN 连接?

tag-icon tag-icon linux networking tcp netstat lsof
如何检查 Linux 上哪个进程正在泛滥 TCP SYN 连接?

我的服务器运行的是 Fedora Core 13。有一天我发现有很多异常流量试图与外部主机发起 TCP 连接。我尝试删除默认路由和 DNS 服务器配置,但流量却从 localhost 变为 localhost。以下是我收集的一些数据:

[root@svr /]# tshark -pni lo | grep '22 \[SYN' | head 
Running as user "root" and group "root". This could be dangerous.
Capturing on lo
  0.000226    127.0.0.1 -> 127.0.0.1    TCP 38805 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307237 TSER=0 WS=6
  0.004381    127.0.0.1 -> 127.0.0.1    TCP 38806 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307241 TSER=0 WS=6
  0.009740    127.0.0.1 -> 127.0.0.1    TCP 38811 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307246 TSER=0 WS=6
  0.014950    127.0.0.1 -> 127.0.0.1    TCP 38812 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307252 TSER=0 WS=6
  0.018930    127.0.0.1 -> 127.0.0.1    TCP 38817 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307256 TSER=0 WS=6
  0.022737    127.0.0.1 -> 127.0.0.1    TCP 38818 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307259 TSER=0 WS=6
  0.026949    127.0.0.1 -> 127.0.0.1    TCP 38823 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307264 TSER=0 WS=6
  0.030749    127.0.0.1 -> 127.0.0.1    TCP 38824 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307267 TSER=0 WS=6
  0.034732    127.0.0.1 -> 127.0.0.1    TCP 38829 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307271 TSER=0 WS=6
  0.038591    127.0.0.1 -> 127.0.0.1    TCP 38830 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307275 TSER=0 WS=6
[root@svr /]#
[root@svr /]# lsof -n -i :22
COMMAND  PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
sshd    1821 root    3u  IPv4      11689      0t0  TCP *:ssh (LISTEN)
sshd    1821 root    4u  IPv6      11693      0t0  TCP *:ssh (LISTEN)
ssh     2401 root    4u  IPv4 1010098785      0t0  TCP 172.17.2.128:56650->172.17.5.1:ssh (ESTABLISHED)
sshd    7126 root    3u  IPv4  998744449      0t0  TCP 10.10.91.220:ssh->10.10.91.250:46490 (ESTABLISHED)
[root@svr /]#
[root@svr /]# netstat -anpt | grep :22
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1821/sshd           
tcp        0      0 127.0.0.1:48011             127.0.0.1:22                ESTABLISHED -                   
tcp      300      0 127.0.0.1:22                127.0.0.1:48011             ESTABLISHED -                   
tcp        0      0 10.10.91.220:22             10.10.91.250:46490          ESTABLISHED 7126/3              
tcp        0      0 172.17.2.128:56650          172.17.5.1:22               ESTABLISHED 2401/ssh            
tcp        0      0 :::22                       :::*                        LISTEN      1821/sshd

所以我的问题是如何找出哪个进程正在淹没 TCP 连接?

短暂性失眠!

答案1

非常相似的问题已得到解答这里简而言之 - 要捕获 syn 状态,您应该以某种方式阻止此状态。对于您来说,类似这样的操作:

# block state transition
iptables -I OUTPUT -o lo -p tcp -m tcp --port 22 -d 127.0.0.1 --syn -j DROP
sleep <some-seconds>
netstat -anpt | grep :22
# unblock (remove first rule)
iptables -D OUTPUT 1

相关内容