A large number of time_wait solutions are present for TCP connections

Source: Internet
Author: User

After a TCP/IP connection is disconnected, it will be retained for a period of time through the TIME_WAIT state, the time is too high to release the port, when the port receives too many frequent requests, it will generate a large number of time_wait state connections, these connections occupy the port, will consume a lot of resources. In this case, the kernel parameters of TCP/IP can be modified to deal with these States in a timely manner.
Netstat-n | awk '/^tcp/{++s[$NF]} END {for (a in S) print A, s[a]} '
Execute this command if there is a large number of time_wait connections, as follows:
Fin_wait2 50
Time_wait 15000
If this is the case, you can use the settings to slow down
We open the configuration file with vim (it's a good idea to back up the file before opening it):


Then, in this file, add the following lines of content:

Net.ipv4.tcp_syncookies = 1
Net.ipv4.tcp_tw_reuse = 1
Net.ipv4.tcp_tw_recycle = 1
Net.ipv4.tcp_fin_timeout = 30

Finally, enter the following command for the kernel parameters to take effect:

The meaning of the above parameters is simply explained below:

Net.ipv4.tcp_syncookies = 1 means that Syn Cookies are turned on. When there is a SYN wait queue overflow, cookies are enabled to protect against a small number of SYN attacks, the default is 0, which means close;
Net.ipv4.tcp_tw_reuse = 1 means turn on reuse. Allows time-wait sockets to be re-used for new TCP connections, which defaults to 0, which means shutdown;
Net.ipv4.tcp_tw_recycle = 1 indicates a fast recovery of time-wait sockets in a TCP connection, and the default is 0, which means close;
Net.ipv4.tcp_fin_timeout modifies the default timeout time for the system.

After such an adjustment, in addition to further increase the load capacity of the server, but also to protect against a certain degree of DDoS, CC and SYN Attacks, is a double benefit practice.

In addition, if you have a lot of connections in itself, we can optimize the port range of TCP/IP to further improve the concurrency of the server. Still go to the above parameter file, add the following configuration:

Net.ipv4.tcp_keepalive_time = 1200
Net.ipv4.ip_local_port_range = 10000 65000
Net.ipv4.tcp_max_syn_backlog = 8192
Net.ipv4.tcp_max_tw_buckets = 5000

These parameters are recommended to be opened only on servers with very large traffic, which will have a significant effect. General traffic is small on the server, there is no need to set these several parameters. The meanings of these parameters are as follows:

Net.ipv4.tcp_keepalive_time = 1200 indicates the frequency at which TCP sends keepalive messages when KeepAlive is employed. The default is 2 hours, which is changed to 20 minutes.
Net.ipv4.ip_local_port_range = 10000 65000 indicates the range of ports used for an outward connection. Small by default: 32768 to 61000, 10000 to 65000. (Note: Do not set the minimum value too low, otherwise it may take off the normal port!) )
Net.ipv4.tcp_max_syn_backlog = 8192 Indicates the length of the SYN queue, the default is 1024, and the queue length is 8192, which can accommodate more network connections waiting to be connected.
Net.ipv4.tcp_max_tw_buckets = 5000 indicates that the system maintains the maximum number of time_wait at the same time, and if this number is exceeded, time_wait is immediately cleared and the warning message is printed. The default is 180000, which changes to 5000. For Apache, Nginx and other servers, the parameters of the last few lines can be a good way to reduce the number of time_wait sockets, but for Squid, the effect is not small. This parameter can control the maximum number of time_wait and avoid the squid server being dragged to death by a large number of time_wait.

This article is from the "Home Birds Paradise" blog, please be sure to keep this source http://birdinroom.blog.51cto.com/7740375/1693449

A large number of time_wait solutions are present for TCP connections

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.