Wowza Community

Wowza SYN Flood

Hi all,

My Wowza Streaming Server is running a chat application. Recently, I’m receiving too many SYN_RECV connections on Wowza port 1935, which flood Wowza and make it out of service after few minutes. Wowza log look like this:

INFO session disconnect 1952441416 -

INFO session disconnect 1955240045 -

INFO session disconnect 167151322 -

INFO session disconnect 1813218272 -

INFO session disconnect 382043424 -

INFO session disconnect 1634799669 -

INFO session disconnect 434196140 -

INFO session disconnect 208142553 -

INFO session disconnect 312967955 -

INFO session disconnect 1030735855 -

INFO session disconnect 532994105 -

INFO session disconnect 934484918 -

INFO session disconnect 1359350164 -

INFO session disconnect 937454906 -

INFO session disconnect 1952307730 -

INFO session disconnect 1206270288 -

INFO session disconnect 1876885468 -

INFO session disconnect 473147894 -

INFO session disconnect 711912881 -

INFO session disconnect 1059933984 -

INFO session disconnect 943715611 -

INFO session disconnect 608807573 -

INFO session disconnect 114624773 -

INFO session disconnect 1316608946 -

INFO session disconnect 916030303 -

INFO session disconnect 442604681 -

INFO session disconnect 1907610605 -

INFO session disconnect 450414311 -

INFO session disconnect 1970855212 -

INFO session disconnect 2023976249 -

INFO session disconnect 641520525 -

I tried to debug and detect these floods using netstat:

netstat -npt | awk ‘{print $6}’ | sort | uniq -c | sort -nr | head

154 ESTABLISHED

116 SYN_RECV

113 LAST_ACK

44 CLOSE_WAIT

2 FIN_WAIT1

1 TIME_WAIT

1 Foreign

1

The flood size is not very big so the firewall is not detecting it but still annoying Wowza and force it to go down.

Can anybody help me in this problem??

Hi,

It would be best if you can send a ticket to us with a zip copy of the following folders from your Wowza installation so that we can further investigate.

  • conf/

  • logs/

Michelle

Thanks for updating this post and providing a worka around.

Regards,

Salvadore

Hi,

I have opened a ticket for support. They couldn’t help me much, they suggested some iptables’ rules which didn’t work in my case.

I manage to stop the problem partially by changing Wowza TCP port to some random value and using psad to prevent port scanning. psad helped me a lot in blocking hackers IP address automatically.

Thanks anyway