Adjust TCP Parameters to prevent DDoS attacks

AdjustTCP ParametersPrevent DDoS attacks

VM service providers may be attacked by hackers during operation. Common attacks include SYN and DDoS attacks. By changing the IP address, it is possible to find the attacked site to avoid the attack, but the service interruption takes a long time. A thorough solution is to add a hardware firewall. However, hardware firewalls are expensive. You can consider using the firewall function provided by the Linux system to defend against attacks.

Anti-SYN flood uses the three-way handshake principle of the TCP/IP protocol to send a large number of network packets that establish connections, but do not actually establish connections, eventually, the network queue of the attacked server is full and cannot be accessed by normal users.

The Linux Kernel provides several syn-related configurations. Run the following command: sysctl-A | grep SYN:

Net. ipv4.tcp _ max_syn_backlog = 1024

Net. ipv4.tcp _ syncookies = 0

Net. ipv4.tcp _ synack_retries = 5

Net. ipv4.tcp _ syn_retries = 5

Tcp_max_syn_backlog is the length of the SYN queue, and tcp_syncookies are a function. Whether to enable the SYN Cookie function can prevent some SYN attacks. Tcp_synack_retries and tcp_syn_retries define the number of retries of syn. Increasing the SYN queue length can accommodate more network connections waiting for connection. Enabling the SYN Cookie function can prevent some SYN attacks and reduce the number of retries.

To adjust the preceding settings, follow these steps:

Increase the SYN queue length to 2048:

Sysctl-W net. ipv4.tcp _ max_syn_backlog = 2048

Enable the SYN Cookie function:

Sysctl-W net. ipv4.tcp _ syncookies = 1

Reduce the number of retries:

Sysctl-W net. ipv4.tcp _ synack_retries = 3

Sysctl-W net. ipv4.tcp _ syn_retries = 3

To maintain the preceding configuration during system restart, you can add the preceding command to the/etc/rc. d/rc. Local file.

Sync Flood Prevention)

# Iptables-a forward-p tcp -- syn-m limit -- limit 1/S-J accept

Some people write

# Iptables-A input-p tcp -- syn-m limit -- limit 1/S-J accept

-- Limit 1/s limits the number of SYN concurrencies to 1 per second, which can be modified as needed

Prevents various port scans

# Iptables-a forward-p tcp -- TCP-flags SYN, ack, FIN, RST-m limit -- limit 1/S-J accept

Ping flood attack (Ping of death)

# Iptables-a forward-p icmp -- ICMP-type echo-request-m limit -- limit 1/S-J accept

Original

[1]Http://linuxs1.blog.163.com/blog/static/16953426200932391829688/

[2] http://blog.chinaunix.net/uid-23619955-id-67049.html