An introduction to how Linux systems prevent TCP flood attacks

This article mainly introduces the detailed explanationLinuxHow the system is less vulnerable to TCP flood attacks. The editor thinks it is quite good. Now I will share it with you and give it as a reference. Let’s follow the editor and take a look.

#最关键参数，默认为5，修改为0 表示不要重发 net.ipv4.tcp_synack_retries = 0 #半连接队列长度 net.ipv4.tcp_max_syn_backlog = 200000 #系统允许的文件句柄的最大数目，因为连接需要占用文件句柄 fs.file-max = 819200 #用来应对突发的大并发connect 请求 net.core.somaxconn = 65536 #最大的TCP 数据接收缓冲（字节） net.core.rmem_max = 1024123000 #最大的TCP 数据发送缓冲（字节） net.core.wmem_max = 16777216 #网络设备接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目 net.core.netdev_max_backlog = 165536 #本机主动连接其他机器时的端口分配范围 net.ipv4.ip_local_port_range = 10000 65535 # ……省略其它……

Note that the following parameters should not be opened when facing the external network. Because the side effects are obvious, please google the specific reasons. If it is already turned on, please explicitly change it to 0, and then execute sysctl -p to close it. Because after testing, a large number of connections inTIME_WAITstatusdo not have much impact on the system:

#当出现 半连接 队列溢出时向对方发送syncookies，调大 半连接 队列后没必要 net.ipv4.tcp_syncookies = 0 #TIME_WAIT状态的连接重用功能 net.ipv4.tcp_tw_reuse = 0 #时间戳选项，与前面net.ipv4.tcp_tw_reuse参数配合 net.ipv4.tcp_timestamps = 0 #TIME_WAIT状态的连接回收功能 net.ipv4.tcp_tw_recycle = 0 #当出现 半连接 队列溢出时向对方发送syncookies，调大 半连接 队列后没必要 net.ipv4.tcp_syncookies = 0 #TIME_WAIT状态的连接重用功能 net.ipv4.tcp_tw_reuse = 0 #时间戳选项，与前面net.ipv4.tcp_tw_reuse参数配合 net.ipv4.tcp_timestamps = 0 #TIME_WAIT状态的连接回收功能 net.ipv4.tcp_tw_recycle = 0

In order to handle a large number of connections, another parameter needs to be changed:

# vi /etc/security/limits.conf

Add a line below to allow each user to open a maximum of 409,600 file handles (including connections):

* – nofile 409600

The above is the detailed content of An introduction to how Linux systems prevent TCP flood attacks. For more information, please follow other related articles on the PHP Chinese website!