1m_tcp_accept_queue_overflows

1m_tcp_accept_queue_overflows

OS: Linux

This alert presents the average number of overflows in the TCP accept queue over the last minute.

  • This alert gets raised in a warning state when the value is greater than 1 and less than 5.
  • If the overflow average exceeds 5 in the last minute, then the alert gets raised in critical state.
What is the Accept queue

The accept queue holds fully established TCP connections waiting to be handled by the listening
application. It overflows when the server application fails to accept new connections at the rate
they are coming in.

This alert might also indicate a SYN flood;

A SYN flood is a form of denial-of-service attack in which an attacker rapidly initiates a
connection to a server without finalizing the connection. The server has to spend resources
waiting for half-opened connections, which can consume enough resources to make the system
unresponsive to legitimate traffic. 1

References and sources
  1. SYN Floods
  2. ip-sysctl.txt
  3. Transmission Control Protocol

Troubleshooting Section

Increase the queue length
  1. Open the /etc/sysctl.conf file and look for the entry " net.ipv4.tcp_max_syn_backlog".

    The tcp_max_syn_backlog is the maximal number of remembered connection requests
    (SYN_RECV), which have not received an acknowledgment from connecting client. 2

  2. If the entry does not exist, you can append the following default entry to the
    file; net.ipv4.tcp_max_syn_backlog=1280. Otherwise, adjust the limit to suit your needs.
  3. Save your changes and run;
    root@netdata~ #sysctl -p 
    
    to apply the changes.

Note: Netdata strongly suggests knowing exactly what values you need before making system changes.