One Hat Cyber Team

Your IP: 216.73.216.23
Server IP: 178.33.27.10
Server: Linux cpanel.dev-unit.com 3.10.0-1160.108.1.el7.x86_64 #1 SMP Thu Jan 25 16:17:31 UTC 2024 x86_64
Server Software: Apache/2.4.57 (Unix) OpenSSL/1.0.2k-fips
PHP Version: 8.2.11
Buat File | Buat Folder
Dir : ~/usr/local/src/netdata/health/health.d/
View File Name : tcp_listen.conf

#
# There are two queues involved when incoming TCP connections are handled
# (both at the kernel):
#
# SYN queue
# The SYN queue tracks TCP handshakes until connections are fully established.
# It overflows when too many incoming TCP connection requests hang in the
# half-open state and the server is not configured to fall back to SYN cookies.
# Overflows are usually caused by SYN flood DoS attacks (i.e. someone sends
# lots of SYN packets and never completes the handshakes).
#
# Accept queue
# The accept queue holds fully established TCP connections waiting to be handled
# by the listening application. It overflows when the server application fails
# to accept new connections at the rate they are coming in.
#
#
# -----------------------------------------------------------------------------
# tcp accept queue (at the kernel)

    alarm: 1m_tcp_accept_queue_overflows
       on: ip.tcp_accept_queue
    class: Workload
     type: System
component: Network
       os: linux
    hosts: *
   lookup: average -60s unaligned absolute of ListenOverflows
    units: overflows
    every: 10s
     warn: $this > 1
     crit: $this > (($status == $CRITICAL) ? (1) : (5))
    delay: up 0 down 5m multiplier 1.5 max 1h
  summary: System TCP accept queue overflows
     info: Average number of overflows in the TCP accept queue over the last minute
       to: silent

# THIS IS TOO GENERIC
# CHECK: https://github.com/netdata/netdata/issues/3234#issuecomment-423935842
    alarm: 1m_tcp_accept_queue_drops
       on: ip.tcp_accept_queue
    class: Workload
     type: System
component: Network
       os: linux
    hosts: *
   lookup: average -60s unaligned absolute of ListenDrops
    units: drops
    every: 10s
     warn: $this > 1
     crit: $this > (($status == $CRITICAL) ? (1) : (5))
    delay: up 0 down 5m multiplier 1.5 max 1h
  summary: System TCP accept queue dropped packets
     info: Average number of dropped packets in the TCP accept queue over the last minute
       to: silent


# -----------------------------------------------------------------------------
# tcp SYN queue (at the kernel)

# When the SYN queue is full, either TcpExtTCPReqQFullDoCookies or
# TcpExtTCPReqQFullDrop is incremented, depending on whether SYN cookies are
# enabled or not. In both cases this probably indicates a SYN flood attack,
# so i guess a notification should be sent.

    alarm: 1m_tcp_syn_queue_drops
       on: ip.tcp_syn_queue
    class: Workload
     type: System
component: Network
       os: linux
    hosts: *
   lookup: average -60s unaligned absolute of TCPReqQFullDrop
    units: drops
    every: 10s
     warn: $this > 1
     crit: $this > (($status == $CRITICAL) ? (0) : (5))
    delay: up 10 down 5m multiplier 1.5 max 1h
  summary: System  TCP SYN queue drops
     info: Average number of SYN requests was dropped due to the full TCP SYN queue over the last minute \
           (SYN cookies were not enabled)
       to: silent

    alarm: 1m_tcp_syn_queue_cookies
       on: ip.tcp_syn_queue
    class: Workload
     type: System
component: Network
       os: linux
    hosts: *
   lookup: average -60s unaligned absolute of TCPReqQFullDoCookies
    units: cookies
    every: 10s
     warn: $this > 1
     crit: $this > (($status == $CRITICAL) ? (0) : (5))
    delay: up 10 down 5m multiplier 1.5 max 1h
  summary: System TCP SYN queue cookies
     info: Average number of sent SYN cookies due to the full TCP SYN queue over the last minute
       to: silent