# Situation



## aurel22 (Nov 28, 2018)

Hello,
I have on a dedicated server freebsd 11.1 operating system and when i write dmesg i get this error:
sonewconn: pcb 0xfffffe0095acfab8: Listen queue overflow: 193 already in queue awaiting acceptance
sonewconn: pcb 0xfffffe0095acfab8: Listen queue overflow: 193 already in queue awaiting acceptance
sonewconn: pcb 0xfffffe0095acfab8: Listen queue overflow: 193 already in queue awaiting acceptance
sonewconn: pcb 0xfffffe0095acfab8: Listen queue overflow: 193 already in queue awaiting acceptance
I have lan interface i210 and when the server hosted on it is attacked,this messages occur.
Can you help me with an advice?
Thank!


----------



## VladiBG (Nov 28, 2018)

First update your FreeBSD version to 11.2
Do you have firewall to limit the concurrent connections per ip?


----------



## aurel22 (Nov 29, 2018)

Yes i update it ,is 11.2 with latest updates and a have firewall active.


----------



## VladiBG (Nov 29, 2018)

Check which service/port is getting this overflow with
`netstat -Aan | grep 0xfffffe0095acfab8`

Then check why this service is processing those new connections slow (_service concurrent conn limit / storage/ cpu ... etc_. ) which cause the new connection to get queued and/or try to limit the simultaneous connection per ip with your firewall if you believe that this is some DDoS attack.

You can also check the current listen queues with
`netstat -Lan`


----------



## aurel22 (Nov 29, 2018)

I use for firewall ipfw and pf for firewall.
That attack it came on game server login port.
When i input netstat -Lan result:
tcp4  192/0/128                          xxx.xxx.xxx.xxx.11002 
Pf blocks that ip's (call spoofed ip's) but are to many an players can not login on  to server.
Pf rules are:

pass in inet proto icmp all icmp-type echoreq

pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state \
(max-src-conn 40, max-src-conn-rate 20/5, overload <abusive_hosts> flush)

pass in on $ext_if proto tcp to any port 11002 flags S/SA synproxy state \
(max-src-conn-rate 3/30, overload <abusive_hosts> flush)

pass in on $ext_if proto tcp to any port $game_ports flags S/SA synproxy state \
(max-src-conn 40, max-src-conn-rate 25/5, overload <abusive_hosts> flush)

pass in on $ext_if proto udp to any port $game_ports keep state \
(max-src-conn 40, max-src-conn-rate 25/5, overload <abusive_hosts> flush) 

We have and firewall on,ipfw,where we let just necessary ports open and udp is off.
Thanks!


----------



## VladiBG (Nov 29, 2018)

If the abuse host is from the same ip range you can block it instead of trying to limit it's connections. You can check the connection with `pfctl -s states`


----------



## Crivens (Nov 29, 2018)

What game is that, if I may ask?


----------



## VladiBG (Nov 29, 2018)

You can guess it by the port number


----------



## Crivens (Nov 29, 2018)

Yes, and that is why this thread stops here.
Please READ the stick threads about Metin!


----------

