Tcp_syn_retries:integer
The default value is 5
for a new connection, the kernel will send a number of SYN connection requests before deciding to discard. should not be greater than 255, the default value is 5, which corresponds to about 180 seconds of time. (This value is high for networks with good physical communication for heavy loads and can be modified to 2. This value is only for external connections, the connection to come in, is determined by tcp_retries1)
Tcp_synack_retries:integer
The default value is 5
for a remote connection request SYN, the kernel sends a SYN + ACK datagram to confirm receipt of the last SYN connection request packet. This is the second step of the so-called three-time handshake (threeway handshake) mechanism. This determines the number of syn+ack that the kernel sends before discarding the connection. should not be greater than 255, the default value is 5, which corresponds to about 180 seconds of time. (This value can be determined according to the tcp_syn_retries above)
Tcp_keepalive_time:integer
The default value is 7200 (2 hours)
The frequency at which TCP sends keepalive messages when KeepAlive is turned on. (due to the current network attacks and other factors, resulting in the use of this attack is very frequent, has also been a friend of Cu mentioned, said if the 2 side to establish a connection, and then do not send any data or rst/fin messages, then the duration of the time is not 2 hours, an empty connection attack? tcp_keepalive_ Time is the prevention of this situation. I am personally in the NAT service when the change value is 1800 seconds)
Tcp_keepalive_probes:integer
The default value is 9
TCP sends a keepalive probe to determine the number of times that the connection has been disconnected. (Note: Keeping a connection is only sent if the so_keepalive socket option is turned on.) The number of times does not need to be modified by default, although this value can be shortened appropriately depending on the situation. Set to 5 more appropriate)
Tcp_keepalive_intvl:integer
The default value is
The frequency at which the message is sent is multiplied by tcp_keepalive_probes to get the time to kill the connection that has not responded since the start of the probe. The default value is 75 seconds, which means that no active connections will be discarded after approximately 11 minutes. (For normal applications, this value is somewhat larger and can be changed as needed.) in particular, the Web Class Server needs to be smaller, 15 is a more appropriate value)
Tcp_retries1:integer
The default value is 3
How many retries are required before giving up a response to a TCP connection request. The RFC specifies that the lowest value is 3, which is also the default value, depending on the RTO value between 3 seconds-8 minutes. (Note: This value also determines the incoming SYN connection)
Tcp_retries2:integer
The default value is
How many retries are required before a TCP connection that is activated (established communication state) is discarded. The default value is 15, which is determined by the RTO value, which is equivalent to 13-30 minutes (RFC1122, which must be greater than 100 seconds). (This value is based on the current network settings, can be appropriately changed to small, my network changes in order to 5)
Tcp_orphan_retries:integer
The default value is 7
How many retries to make before the near-end drops the TCP connection. The default value is 7, which is equivalent to 50 seconds-16 minutes, depending on the RTO. If your system is a heavily loaded Web server, you may need to lower this value, which can be a lot of resource-intensive sockets. In addition, the examination Tcp_max_orphans. (In fact, when doing NAT, reducing this value is also a significant benefit, I myself in the network environment to reduce the value of 3)
Tcp_fin_timeout:integer
The default value is
for a socket connection that is disconnected at this end, TCP remains in the Fin-wait-2 state for the time. The other person may be disconnected or have not ended the connection or the unpredictable process has died. The default value is 60 seconds. It used to be 180 seconds in the 2.2 version of the kernel. You can set this value, but be aware that if your machine is a heavily loaded Web server, you may be risking the risk of memory being filled with a large number of invalid datagrams,fin-wait-2 sockets is less dangerous than fin-wait-1, because they eat up to 1.5K of memory, But they exist for a longer period of time. In addition refer to Tcp_max_orphans. (In fact, when doing NAT, lower this value is also significant, I myself in the network environment to reduce the value of a)
Tcp_max_tw_buckets:integer
The default value is 180000
The maximum number of timewait sockets the system is processing at the same time. If this number is exceeded, the,time-wait socket is immediately removed and a warning message is displayed. The reason to set this limit is to protect against simple DoS attacks, but do not artificially reduce this limit, but if the network conditions need to be more than the default value, you can increase it (and perhaps increase the memory). (In fact, it is best to increase the value appropriately when doing NAT)
Tcp_tw_recycle:boolean
The default value is 0
turn on quick time-wait sockets recycling. Do not modify this value unless you are advised or requested by a technical expert. (It is recommended to open it when doing a NAT)
Tcp_tw_reuse:boolean
The default value is 0
This file indicates whether to allow the re-application of the socket in the time-wait state for a new TCP connection (this is very helpful in the case of a quick restart of some services and prompt port usage after startup)
Tcp_max_orphans:integer
The default value is 8192
The maximum number of TCP sockets that the system can handle that is not part of any process. If this amount is exceeded, then the connection that is not part of any process is immediately reset and a warning message is displayed. The reason to set this limit, purely to protect against those simple DoS attacks, do not rely on this or artificially reduce this limit (this value Redhat as version set to 32768, but a lot of firewall modifications, it is recommended that the value modified to a)
Tcp_abort_on_overflow:boolean
The default value is 0
when the daemon is too busy to accept the new connection, as if the other party sends the reset message, the default value is False. This means that when the cause of the overflow is due to an accidental burst, then the connection will revert to the state. This option is only turned on when you are sure that the daemon is really unable to complete the connection request, which affects the customer's use. (when dealing with services such as a fully loaded Sendmail,apache, this allows the client to terminate the connection quickly, allowing the service program to handle the existing connection buffer, so many firewalls recommend opening it)
Tcp_syncookies:boolean
The default value is 0
This will only occur if Config_syncookies is selected at kernel compile time. When the SYN wait queue appears overflow, the syncookies is sent like the other. The aim is to prevent SYN flood attacks.
Note: This option must not be used for high-load servers that do not receive an attack, if a Synflood message appears in the log, but the investigation finds that there is no synflood attack, but that the legitimate user's connection load is too high, you should adjust other parameters to improve server performance. Reference:
Tcp_max_syn_backlog
tcp_synack_retries
Tcp_abort_on_overflow
Syncookie serious breaches of the TCP protocol, which does not allow the use of TCP extensions, may cause serious performance impacts (such as SMTP forwarding) on some services. (Note that this implementation, like the TCP proxy used by BSD above, is a violation of the RfC's three-time handshake for TCP connections, but is really useful for defense syn-flood.)
Tcp_stdurg:boolean
The default value is 0
Use the Host Request interpretation feature in the TCP Urg pointer field. Most hosts use an old BSD explanation, so if you open it on Linux, you may not be able to communicate with them correctly.
Tcp_max_syn_backlog:integer
for connection requests that still do not have a client acknowledgement, the maximum number that needs to be saved in the queue. For systems that exceed 128Mb of memory, the default value is 1024, below 128Mb for 128. If the server is overloaded frequently, try increasing this number. Warning! If you set this value to greater than 1024, it is best to modify the tcp_synq_hsize, inside the include/net/tcp.h to keep tcp_synq_hsize*16<=tcp_max_syn_backlog, and into the core. (SYN flood attack uses TCP protocol to spread the defect of handshake, fake source IP address to send a large number of Tcp-syn semi-open connection to the target system, eventually causing the target system socket queue resources exhausted and unable to accept the new connection. In order to deal with this attack, modern UNIX systems generally use multi-connection queue processing to buffer (rather than resolve) this attack, is to use a basic queue to handle the normal full-connected application (connect () and accept ()), is to use another queue to separate semi-open connections. This dual-queue approach, combined with some other system kernel measures (such as syn-cookies/caches), can be used to mitigate small-scale SYN flood attacks more effectively (facts prove <1000p/s) Increasing the SYN queue length can accommodate more network connections waiting for the connection, so you might consider increasing the value for the server.
Tcp_window_scaling:integer
The default value is 1
This file indicates whether the sliding window size of the TCP/IP session is set to variable. The value of the parameter is a Boolean value, 1 is variable, and 0 indicates immutable. TCP/IP typically uses a maximum of 65535 bytes of Windows, which may be too small for high-speed networks, which, if enabled, can increase the TCP/IP sliding window size by several orders of magnitude, thereby increasing the ability to transmit data (RFC 1323). (for the average hundred m network, the shutdown will reduce the overhead, so if it is not a high-speed network, you can consider setting it to 0)
Tcp_timestamps:boolean
The default value is 1
timestamps is used in other things to guard against forged sequence numbers. A 1G broadband line may re-encounter the old sequence number with out-of-line value (if it was due to the last generation). Timestamp will let it know it's an ' old bag '. (This file indicates whether it is enabled to enable calculation of RTT in a more precise way than a time-out, RFC 1323); This option should be enabled for better performance. )
Tcp_sack:boolean
The default value is 1
using selective ack, it can be used to find a specific missing datagram---so it helps to recover the status quickly. This file indicates whether a selective answer (selective acknowledgment) is enabled, which can improve performance by selectively answering packets received by a random order (which allows the sender to send only the missing segment). (This option should be enabled for WAN traffic, but this increases CPU usage.) )
Tcp_fack:boolean
The default value is 1
Open Fack congestion avoidance and fast retransmission function. (Note that this value, even if set to 1, is not valid when Tcp_sack is set to 0)
Tcp_dsack:boolean
The default value is 1
allow TCP to send "two identical" sack.
Tcp_ecn:boolean
The default value is 0
opens the TCP Direct congestion notification feature.
Tcp_reordering:integer
The default value is 3
the maximum number of reordered datagrams in the TCP stream. (It is generally recommended to adjust this value slightly larger, such as 5)
Tcp_retrans_collapse:boolean
The default value is 1
for some bugs, the printer provides compatibility for its bugs. (This support is generally not required, you can close it)
tcp_wmem (3 integer variables): Min, default, Max
min: Reserve the minimum amount of memory used to send buffers for the TCP socket. Each TCP socket can be used after it is recommended. The default value is 4096 (4K).
Default : The amount of memory reserved for a TCP socket for sending buffers, which, by defaults, affects the Net.core.wmem_default value used by other protocols, typically below the value of Net.core.wmem_default. The default value is 16384 (16K).
Max: The maximum amount of memory used for the TCP socket send buffer. This value does not affect Net.core.wmem_max, and the "static" selection parameter so_sndbuf is not affected by this value. The default value is 131072 (128K). (for the server, increasing the value of this parameter is helpful for sending data in my network environment, modified in order to 51200 131072 204800)
tcp_rmem (3 integer variables): Min, default, Max
min: The amount of memory reserved for the TCP socket to receive buffering, even if the TCP socket has at least so much memory to receive buffering in case of memory tension, the default value is 8K.
Default : The amount of memory reserved for the TCP socket to receive buffering, which, by defaults, affects the Net.core.wmem_default value used by other protocols. This value determines the TCP window size of 65535 in the case of Tcp_adv_win_scale, Tcp_app_win, and tcp_app_win=0 default values. The default value is 87380
Max: The maximum amount of memory used for the TCP socket receive buffer. This value does not affect Net.core.wmem_max, and the "static" selection parameter so_sndbuf is not affected by this value. The default value is 128K. The default value is 87380*2 bytes. (as you can see, the. Max setting is preferably twice times the default, which is the main increase for NAT, 51200 131072 204800 in My network)
tcp_mem (3 integer variables): Low, pressure, high
Low : TCP does not consider freeing memory when TCP uses a number of memory pages that are below this value. (Ideally, this value should match the 2nd value assigned to TCP_WMEM-this 2nd value indicates that the maximum page size is multiplied by the maximum number of concurrent requests divided by the page size (131072 * 300/4096).) )
pressure: When TCP uses more memory pages than this value, TCP attempts to stabilize its memory usage, enters pressure mode, and exits the pressure state when memory consumption falls below the low value. (Ideally this value should be the maximum amount of total buffer size that TCP can use (204800 * 300/4096).) )
High : Allows all TCP sockets the amount of pages used to queue buffered datagrams. (If this value is exceeded, the TCP connection will be rejected, which is why you should not make it too conservative (512000 * 300/4096).) In this case, the value provided is very large, it can handle many connections, is expected 2.5 times times, or so that the existing connection can transmit 2.5 times times the data. My network for 192000 300000 732000)
in general, these values are calculated based on the amount of system memory at system startup.
Tcp_app_win:integer
The default value is
Keep Max (Window/2^tcp_app_win, MSS) number of Windows due to application buffering. When 0 indicates that no buffering is required.
Tcp_adv_win_scale:integer
The default value is 2
calculate the buffering overhead bytes/2^tcp_adv_win_scale (if Tcp_adv_win_scale > 0) or bytes-bytes/2^ (-tcp_adv_win_scale) (If tcp_adv_ Win_scale <= 0).
Tcp_rfc1337:boolean
The default value is 0
This switch can initiate a fix for the "TCP time-wait assassination crisis" described in RFC1337. When enabled, the kernel discards those RST packets destined for the time-wait state TCP socket.
Tcp_low_latency:boolean
The default value is 0
allow TCP/IP stacks to accommodate low latency in high throughput situations; This option is disabled for general scenarios. (but it's helpful to open it when building a Beowulf cluster)
Tcp_westwood:boolean
The default value is 0
enables the sender-side congestion control algorithm, which maintains the evaluation of throughput and attempts to optimize the overall utilization of bandwidth, which should be enabled for WAN traffic.
Tcp_bic:boolean
The default value is 0
enables Binary increase congestion for fast, long-distance networks, which makes better use of links that operate at GB speed, which should be enabled for WAN traffic.
Linux TCP parameter settings
