Adjust TCP Parameters to prevent DDoS attacks

Source: Internet
Author: User

AdjustTCP ParametersPrevent DDoS attacks

VM service providers may be attacked by hackers during operation. Common attacks include SYN and DDoS attacks. By changing the IP address, it is possible to find the attacked site to avoid the attack, but the service interruption takes a long time. A thorough solution is to add a hardware firewall. However, hardware firewalls are expensive. You can consider using the firewall function provided by the Linux system to defend against attacks.

Anti-SYN flood uses the three-way handshake principle of the TCP/IP protocol to send a large number of network packets that establish connections, but do not actually establish connections, eventually, the network queue of the attacked server is full and cannot be accessed by normal users.

The Linux Kernel provides several syn-related configurations. Run the following command: sysctl-A | grep SYN:

Net. ipv4.tcp _ max_syn_backlog = 1024

Net. ipv4.tcp _ syncookies = 0

Net. ipv4.tcp _ synack_retries = 5

Net. ipv4.tcp _ syn_retries = 5

Tcp_max_syn_backlog is the length of the SYN queue, and tcp_syncookies are a function. Whether to enable the SYN Cookie function can prevent some SYN attacks. Tcp_synack_retries and tcp_syn_retries define the number of retries of syn. Increasing the SYN queue length can accommodate more network connections waiting for connection. Enabling the SYN Cookie function can prevent some SYN attacks and reduce the number of retries.

To adjust the preceding settings, follow these steps:

Increase the SYN queue length to 2048:

Sysctl-W net. ipv4.tcp _ max_syn_backlog = 2048

Enable the SYN Cookie function:

Sysctl-W net. ipv4.tcp _ syncookies = 1

Reduce the number of retries:

Sysctl-W net. ipv4.tcp _ synack_retries = 3

Sysctl-W net. ipv4.tcp _ syn_retries = 3

To maintain the preceding configuration during system restart, you can add the preceding command to the/etc/rc. d/rc. Local file.

Sync Flood Prevention)

# Iptables-a forward-p tcp -- syn-m limit -- limit 1/S-J accept

Some people write

# Iptables-A input-p tcp -- syn-m limit -- limit 1/S-J accept

-- Limit 1/s limits the number of SYN concurrencies to 1 per second, which can be modified as needed

Prevents various port scans

# Iptables-a forward-p tcp -- TCP-flags SYN, ack, FIN, RST-m limit -- limit 1/S-J accept

Ping flood attack (Ping of death)

# Iptables-a forward-p icmp -- ICMP-type echo-request-m limit -- limit 1/S-J accept

Original

[1]Http://linuxs1.blog.163.com/blog/static/16953426200932391829688/

[2] http://blog.chinaunix.net/uid-23619955-id-67049.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.