I am making an http server in c. It is in a pre-alpha stage but seemed to be stable enough to deploy on my server and run 4 minimal websites. It has been running seamlessly for two days until this morning. The daemon was not running and did not exit cleanly. I looked in the logs and found about 10 lines in a row saying:
[815259.230706] possible SYN flooding on port 80. Sending cookies.
Then no more messages logged from the http server, so i am assuming this is where it died. I am not sure what signal it received that killed it so I am assuming it was SIGKILL, SIGSEGV, or SIGABRT because they are not caught, and SIGKILL can't be caught anyway. I looked up SYN flooding and it's a type of DoS attack. I am not sure if the server was actually attacked or not but the most requests I receive in total for my 4 websites runs about at most 1 per second…not anywhere near enough to be falsely accused of being a DoS attack.
My questions are:
How likely is it that this was a DoS attack?
Would the kernel(linux) have killed the http server because of this or did it die on its own?
If the kernel killed it how do i prevent this from happening, i can't have it dieing unexpectedly?
If the kernel did not kill it, was the death likely caused by the SYN flooding and how can i debug it, or is it more likely it is an unrelated programming bug?
What security measures should i take to prevent possible SYN flooding?
EDIT:
The http server has now crashed 3 times with the same scenario occurring.
Best Answer
The Linux kernel is sending a SYN cookie to the remote machine which is doing de posible attack but not to your web server.
You can read Hardening the TCP/IP stack to SYN attacks to learn more about SYN flooding attacks.
Also maybe you want to read this guide about apache debugging and apply some ideas to debug your own server.