Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞
Be careful when setting tcp parameters. do not change the online environment easily. I will paste the content of sysctl. conf in our online environment. for details, see net. ipv4.tcp _ protocol at the bottom of the article...
Be careful when setting tcp parameters. do not change the online environment easily. I will paste sysctl in our online environment. for more information about conf, see net. ipv4.tcp _ tw_reuse = 1 net. ipv4.tcp _ tw_recycle = 1 net. ipv4.tcp _ fin_timeout = 30 net. ipv4.tcp _ keepalive_time = 1800. net. ipv4.tcp _ max_syn_backlog = 4096 net. ipv4.tcp _ syncookies = 1 www.2cto.com tcp_syn_retries: the default INTEGER value is 5. for a new connection, the number of SYN connection requests sent by the kernel is determined to be abandoned. It should not be greater than 255. the default value is 5, corresponding to the left-right time of 180 seconds. (For a network with high load and good physical communication, this value is too high and can be changed to 2. this value is only for external connections. the incoming connections are determined by tcp_retries1.) tcp_synack_retries: the default INTEGER value is 5 for remote connection requests SYN. the kernel will send SYN + ACK datagram, to confirm receipt of the previous SYN connection request package. This is the second step of the so-called threeway handshake mechanism. The number of SYN + ACK sent by the kernel before the connection is abandoned. It should not be greater than 255. the default value is 5, corresponding to the left-right time of 180 seconds. (This value can be determined based on the above tcp_syn_retries) tcp_keepalive_time: The default value of INTEGER is 7200 (2 hours). when keepalive is enabled, TCP sends the keepalive message frequency. (Due to factors such as network attacks, this attack is very frequent. some cu friends once mentioned that if a connection is established on both sides, if no data or rst/fin messages are sent, will the duration be 2 hours or empty connection attacks? Tcp_keepalive_time is used to prevent this situation. I personally changed the value to 1800 seconds when doing the nat service) tcp_keepalive_probes: The default value of INTEGER is the number of times 9TCP sends the keepalive test to determine whether the connection has been disconnected. (Note: The connection is sent only when the SO_KEEPALIVE socket option is enabled. you do not need to modify the number of times by default. you can also shorten the value as needed. set to 5.) tcp_keepalive_intvl: The default value of INTEGER is 75 www.2cto.com. multiply by tcp_keepalive_probes to get the time for killing connections that have not responded since the start of the test. The default value is 75 seconds, indicating that connections without activity will be dropped after about 11 minutes. (For common applications, this value is too large and can be changed to a smaller value as needed. in particular, this value needs to be reduced for web servers, and 15 is a suitable value.) tcp_retries1: the default INTEGER value is 3 before giving up responding to a TCP connection request? The number of retries required. What is the minimum value required by RFC? Which is the default value? The RTO value is about 3 to 8 minutes. (Note: This value also determines the syn connection) tcp_retries2: the default INTEGER value is 15 before discarding the activated (established communication status) TCP connection? The number of retries required. The default value is 15, which is determined by the RTO value, equivalent to 13-30 minutes (RFC1122 requires that the value must be greater than 100 seconds ). (According to the current network settings, this value can be adjusted to 5 in my network) tcp_orphan_retries: the default INTEGER value is 7 before the TCP connection is discarded in the near end? The number of retries. The default value is 7? Equivalent to 50-16 minutes? Depends on RTO. If your system is a web server with a large load? So it may need to be lowered? Such sockets may consume a lot of resources. In addition, tcp_max_orphans. (In fact, lowering the value of NAT is also a significant benefit. in my own network environment, this value is reduced to 3) tcp_fin_timeout: the default value of INTEGER is 60. for local-end closed socket connections, TCP remains in the FIN-WAIT-2 state. The other party may disconnect or never end the connection or unexpected process will die. The default value is 60 seconds. In the past, the kernel of version 2.2 was 180 seconds. Can you set this value? But do you need to pay attention? If your machine is a web server with heavy load? Are you at risk of memory being filled with a large number of invalid data packets? The risk of FIN-WAIT-2 sockets is lower than that of FIN-WAIT-1? Because they only eat 1.5 kB of memory at most? However, they exist for a longer time. For more information, see tcp_max_orphans. (In fact, lowering the value of NAT is also a significant benefit. in my own network environment, this value is reduced to 30) tcp_max_tw_buckets: the default INTEGER value is the maximum number of timewait sockets simultaneously processed by the 180000 www.2cto.com system. If this number is exceeded? The time-wait socket is immediately cut down and a warning message is displayed. Is this restriction set? Simply to defend against those simple DoS attacks? Do not artificially reduce this restriction? But? If more network conditions are required than default values? You can increase it (or increase the memory ). (In fact, it is best to add this value when doing NAT) tcp_tw_recycle: The default value of BOOLEAN is 0. enable quick TIME-WAIT sockets recovery. Unless recommended or required by technical experts? Do not modify this value at will. (We recommend that you enable it when performing NAT)
Tcp_tw_reuse: BOOLEAN the default value is 0. this file indicates whether to allow re-application of the socket in the TIME-WAIT status for new TCP connections (this is a fast restart of some services, it is very helpful to prompt that the port has been used after it is started.) tcp_max_orphans: The default value of INTEGER is the maximum number of TCP sockets that the system can process without any process. What if the number is exceeded? Connections that do not belong to any process will be immediately reset and a warning will be displayed. Is this restriction set? Simply to defend against those simple DoS attacks? Do not rely on this or manually reduce this limit (this value is set to 32768 in the Redhat AS version, but it is recommended to change this value to 2000 when many firewalls are modified) tcp_abort_on_overflow: the default value of BOOLEAN is 0. when the daemon is too busy to accept new connections, it is like the other party sending a reset message. the default value is false. This means that when the cause of overflow is an accidental burst, the connection will be restored. This option is enabled only when you are sure that the Daemon cannot complete the connection request. this option affects your use. (For services such as sendmail and apache that are already fully loaded, this can quickly cause the client to terminate the connection and give the service program the opportunity to process the buffer of existing connections. Therefore, we recommend that you enable sendmail on many firewalls) tcp_syncookies: The default value of BOOLEAN is 0 www.2cto.com, which only works when CONFIG_SYNCOOKIES are selected during kernel compilation. Syncookies are sent when the syn wait queue overflows. The objective is to prevent syn flood attacks.
Note: This option cannot be used on high-load servers that do not receive Attacks. if a synflood message appears in the log, but the investigation finds that the synflood attack is not received, the reason is that the connection load of legal users is too high. you should adjust other parameters to improve server performance. Reference: tcp_max_syn_backlogtcp_synack_retriestcp_abort_on_overflowsyncookie seriously violates the TCP protocol and does not allow TCP extension, which may cause serious performance impact on some services (such as SMTP forwarding ). (Note: This implementation is the same as the tcp proxy used in BSD. it violates the three-way handshake implementation of tcp connections in RFC, but it is useful for defending syn-flood .) tcp_stdurg: The default value of BOOLEAN is 0. use the host request interpretation function in the TCP urg pointer field. Most hosts use old BSD interpretations, so if you open it in Linux? It may lead to failure to communicate with them correctly.
Tcp_max_syn_backlog: INTEGER for connection requests that are still not confirmed by the client? The maximum number of messages to be saved in the queue. For systems with more than 128 Mb of memory? The default value is 1024? If it is less than 128 Mb, it is 128. If the server is often overloaded? You can try to add this number. Warning? If you set this value to greater than 1024? It is best to modify the TCP_SYNQ_HSIZE in include/net/tcp. h? To keep TCP_SYNQ_HSIZE * 16 <= tcp_max_syn_backlog? And compiled into the core. (SYN Flood attacks spread handshaking defects using TCP protocol, counterfeit fake source IP address to send a large number of TCP-SYN semi-open connection to the target system, as a result, the Socket queue resources of the target system are exhausted and new connections cannot be accepted. To cope with such attacks, modern Unix systems generally use multi-connection queue processing to buffer (rather than solve) such attacks, connect () and Accept () are normally processed using a basic queue. the connection is separately stored and semi-open in another queue. When this dual-queue processing method is used together with other system kernel measures (such as Syn-Cookies/Caches, effectively mitigates small-scale SYN Flood attacks (<1000 p/s). increasing the SYN queue length can accommodate more network connections waiting for connection, therefore, you can increase the value for the Server .) www.2cto.com tcp_window_scaling: The default value of INTEGER is 1. this file indicates whether to set the hop window size of TCP/IP sessions to variable. The parameter value is a Boolean value. if it is 1, it indicates variable. if it is 0, it indicates non-variable. TCP/IP usually uses a window of up to 65535 bytes. for high-speed networks, this value may be too small. if this function is enabled, the TCP/IP sliding window size can be increased by several orders of magnitude to improve the data transmission capability (RFC 1323 ). (For an ordinary M network, disabling it will reduce the overhead, so if it is not a high-speed network, you can consider setting it to 0) tcp_timestamps: The default value of BOOLEAN is 1 Timestamps, which is used in other things? This prevents forged sequence numbers. A 1G broadband line may re-encounter an old sequence number with an out-of-line value (if it was generated last time ). Timestamp will let it know that this is an 'old package '. (This file indicates whether to enable RTT computing in a more accurate way than timeout resend (RFC 1323). This option should be enabled for better performance .) Tcp_sack: The default value of BOOLEAN is 1 using Selective ACK? It can be used to find specific lost Datagram, which helps to quickly restore the status. This file indicates whether Selective Acknowledgment is enabled ), this can improve the performance by selectively responding to messages received in disordered order (this allows the sender to send only lost packets ). (This option should be enabled for Wan communication, but this will increase CPU usage .) Tcp_fack: The default value of BOOLEAN is 1 to enable the FACK congestion avoidance and fast retransmission functions. (Note: When tcp_sack is set to 0, this value is invalid even if it is set to 1) tcp_dsack: BOOLEAN default value: 1 allows TCP to send "two identical" SACK. Www.2cto.com tcp_ecn: The default value of BOOLEAN is 0. enable the direct congestion notification function of TCP. Tcp_reordering: The default value of INTEGER is the maximum number of datagram in the 3TCP stream. (It is recommended that you slightly adjust this value, for example, 5) tcp_retrans_collapse: The default value of BOOLEAN is 1, which provides compatibility with bugs for some printers. (You can disable tcp_wmem (3 INTEGER variables): min, default, and maxmin: Reserve the minimum memory used for sending buffering for TCP socket. Each tcp socket can be used later. The default value is 4096 (4 K ). Default: the amount of memory reserved for the TCP socket for sending buffering. by default, this value affects the net. core. wmem_default value, generally lower than net. core. the value of wmem_default. The default value is 16384 (16 K ). Max: maximum memory used for TCP socket sending buffer. This value does not affect net. core. wmem_max. the "static" parameter SO_SNDBUF is not affected. The default value is 131072 (128 K ). (For the server, adding this parameter value is very helpful for sending data. in my network environment, it is changed to 51200 131072 204800) tcp_rmem (3 INTEGER variables): min, default, maxmin: the amount of memory reserved for the TCP socket for receiving buffering. even if the memory is insufficient, the tcp socket will have at least so many memories for receiving buffering, the default value is 8 K. Default: the amount of memory reserved for TCP socket for receiving buffering. by default, this value affects the net. core. wmem_default value used by other protocols. This value determines that the TCP window size is 65535 when tcp_adv_win_scale, tcp_app_win, and tcp_app_win = 0 by default. The default value is 87380 max: The maximum memory used for TCP socket buffer reception. This value does not affect net. core. wmem_max. the "static" parameter SO_SNDBUF is not affected. The default value is 128 K. The default value is 87380*2 bytes. (As you can see ,. max is best set to twice the default value. for NAT, we should mainly increase it. in my network, it is 51200 131072 204800) tcp_mem (3 INTEGER variables): low, pressure, highlow: when TCP uses a memory page number lower than this value, TCP does not consider releasing the memory. (Ideally, this value should match the 2nd values specified to tcp_wmem-the 2nd values indicate that, the maximum page size multiplied by the maximum number of concurrent requests divided by the page size (131072*300/4096 ).) Www.2cto.com pressure: When TCP uses the number of memory pages that exceed this value, TCP tries to stabilize its memory usage and enters the pressure mode. when the memory consumption is lower than the low value, it exits the pressure state. (Ideally, this value is the maximum buffer size (204800*300/4096) that can be used by TCP ).) High: the number of pages that allow all tcp sockets to be used to queue for buffering data packets. (If this value is exceeded, the TCP connection will be rejected, which is why it should not be too conservative (512000*300/4096. In this case, it provides a great deal of value. it can process many connections, which is 2.5 times as expected; or it can make existing connections transmit 2.5 times of data. My network is 192000 300000 732000). Generally, these values are calculated based on the number of system memory at system startup. Tcp_app_win: the default INTEGER value is 31 reserved max (window/2 ^ tcp_app_win, mss) number of windows due to application buffering. If the value is 0, no buffer is required. Bytes ). Tcp_rfc1337: The default value of BOOLEAN is 0. This toggle can be enabled to fix the "tcp time-wait assassination crisis" problem described in RFC1337. When enabled, the kernel discards the RST packets sent to the time-wait status TCP socket. tcp_low_latency: The default value of BOOLEAN is 0, which allows the TCP/IP stack to adapt to low latency in high throughput. this option is generally disabled. (But it is helpful to open the Beowulf cluster when building it.) www.2cto.com tcp_westwood: The default value of BOOLEAN is 0. enable the congestion control algorithm of the sender, which can maintain the Throughput evaluation, and try to optimize the overall utilization of bandwidth; this option should be enabled for WAN communication. Tcp_bic: The default value of BOOLEAN is 0. enable Binary Increase Congestion for a fast long-distance network. This allows you to make better use of links for operations at the GB speed. this option should be enabled for WAN communication. Author: neou
This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or
reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or
complaint, to firstname.lastname@example.org. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
and provide relevant evidence. A staff member will contact you within 5 working days.