# Netstat Statistics



## shinx (Mar 7, 2019)

Hi all, could someone point me to a good place where I can read more about the details in the statistics shown by `netstat -s`?

Would like to know more on "acks for unsent data" particularly.

Also, is it normal to have large number for "acks for unsent data"?

Here is the count for "acks for unsent data" in one of my high-traffics server.

```
166807884067 acks for unsent data
```


----------



## VladiBG (Mar 7, 2019)

http://www.cs.williams.edu/~tom/weavingCS/s07/demos/UDP-TCP-SlidesS07-pt2.pdf


----------



## shinx (Mar 7, 2019)

VladiBG said:


> http://www.cs.williams.edu/~tom/weavingCS/s07/demos/UDP-TCP-SlidesS07-pt2.pdf



Thanks for the link.

But I don't quite understand why is my server receiving so many "acks for unsent data"? Under what circumstances my server will receive such huge number of "acks" for some unsent data? Why would my server receive "acks" in the very first place for something it did not send?

The 3-way handshake of TCP works in these orders, right?

```
Client A [SYN] -------> Client B
Client A <------- [SYN - ACK] Client B
Client A [ACK] -------> Client B
```

Did I understand correctly that "acks for unsent data" is the ack packets received at my server end without my server sending out the SYN packet at the very first place? 

Please someone shed some lights on me. Thanks.


----------



## SirDice (Mar 7, 2019)

shinx said:


> Under what circumstances my server will receive such huge number of "acks" for some unsent data? Why would my server receive "acks" in the very first place for something it did not send?





			https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html
		


This attack may not be directed at you though, your IP address could simply be used as a spoofed source address causing all response packets to end up on your doorstep.

Similar to spam using your email address as the sender and you end up with a whole bunch of undeliverables.


----------



## shinx (Mar 7, 2019)

SirDice said:


> https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html
> 
> 
> 
> ...



Oh dear... is there a way to find out the origin where the traffics coming from? 

While I am trying to find out the mitigation way, is there a way to fix this before my server got paralyzed?


----------



## SirDice (Mar 7, 2019)

shinx said:


> Oh dear... is there a way to find out the origin where the traffics coming from?


Nope. You only see the aftermath. 



shinx said:


> is there a way to fix this before my server got paralyzed?


A properly set up firewall should block these "random" ACK packets since they don't belong to any existing session.


----------



## shinx (Mar 7, 2019)

SirDice said:


> Nope. You only see the aftermath.



Alright. So the huge number in acks for unsent data is not something to worry about?


----------



## VladiBG (Mar 7, 2019)

Is this a router with NAT? Maybe you are reciving some ACK packages that are from terminated applications behind your router and those ACK packages are with invalid seq or ack number.


----------



## SirDice (Mar 7, 2019)

I'd keep an eye on it but not worry about it too much as long as your application doesn't get impacted. I would certainly go have a look at the firewall rules. As I said, they're apparently not part of any existing sessions so a firewall should block them.


----------



## shinx (Mar 7, 2019)

VladiBG said:


> Is this a router with NAT? Maybe you are reciving some ACK packages that are from terminated applications behind your router and those ACK packages are with invalid seq or ack number.



Nope. It is a web server.




SirDice said:


> I'd keep an eye on it but not worry about it too much as long as your application doesn't get impacted. I would certainly go have a look at the firewall rules. As I said, they're apparently not part of any existing sessions so a firewall should block them.




Alright, thanks guys.


----------

