In Linux, modify the sysctl parameter $ sudosysctl-a | grepipv4 | grepsyn. The output is similar to the following: net. ipv4.tcp _ timeout indicates whether to use Linux
Modify sysctl Parameters
$ sudo sysctl -a | grep ipv4 | grep syn
The output is similar to the following:
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syn_retries = 5
- Net. ipv4.tcp _SyncOokies indicates whether to enable syn cookies. If "1" is enabled, "2" is disabled.
- Net. ipv4.tcp _ max_syn_backlog is the length of the SYN queue. Increasing the queue length can accommodate more network connections waiting for connection.
- Net. ipv4.tcp _ synack_retries and net. ipv4.tcp _ syn_retries define the number of SYN retries.
Add the following to/etc/sysctl. conf and then run "sysctl-p "!
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
Improve TCP connection capability
net.ipv4.tcp_rmem = 32768
net.ipv4.tcp_wmem = 32768
net.ipv4.sack=0
Use iptables
Command:
# netstat -an | grep ":80" | grep ESTABLISHED
To check which IP addresses are suspicious ~ For example, the ip address 221.238.196.83 has many connections and is suspicious. It is not expected to be connected to 221.238.196.81 again. You can run the following command:
iptables -A INPUT -s 221.238.196.81 -p tcp -d 221.238.196.83 --dport 25 --syn -j ACCEPT
Set its deny.
Other references
Sync Flood Prevention)
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
Some people write
# iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
-- Limit 1/s limits the number of syn concurrent requests per second. You can modify the limit to prevent port scanning based on your needs.
# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
Ping flood attack (Ping of Death)
# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
BSD
Run:
sysctl net.inet.tcp.msl=7500
To make the restart effective, add the following lines to/etc/sysctl. conf:
net.inet.tcp.msl=7500