How to configure TCP parameter settings under Linux

Source: Internet
Author: User
Tags ack rfc

Set TCP parameters Be careful not to change the online environment, I paste the content of our online environment, sysctl.conf, see the bottom of the article

Net.ipv4.tcp_tw_reuse    = 1 net.ipv4.tcp_tw_recycle  = 1 net.ipv4.tcp_fin_timeout = 30  net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies = 1 Www.2cto.com  tcp_syn_retries:integer The default value is 5 for a new connection, the number of SYN connection requests that the kernel sends to decide to discard. should not be greater than 255, the default value is 5, which corresponds to about 180 seconds of time. (This value is high for networks with good physical communication for heavy loads and can be modified to 2. This value is only for external connections, the connection to come in, is determined by tcp_retries1)  tcp_synack_retries : The integer default value is 5 for the remote connection request SYN, the kernel sends a SYN + ACK datagram to confirm receipt of the last SYN connection request packet. This is the second step of the so-called three-time handshake (threeway handshake) mechanism. This determines the number of syn+ack that the kernel sends before discarding the connection. should not be greater than 255, the default value is 5, which corresponds to about 180 seconds of time. (This value can be determined according to the tcp_syn_retries above)  tcp_keepalive_time:integer default value is 7200 (2 hours) when KeepAlive is turned on, The frequency at which TCP sends keepalive messages. (due to the current network attacks and other factors, resulting in the use of this attack is very frequent, has also been a friend of Cu mentioned, said if the 2 side to establish a connection, and then do not send any data or rst/fin messages, then the duration of the time is not 2 hours, an empty connection attack? tcp_keepalive_ Time is to prevent this. I personally do NAT service when the change value is 1800 seconds)  tcp_keepalive_probes:integer The default value is 9TCP send keepalive probe to determine the number of times that the connection has been disconnected. (Note: Keeping a connection is only sent if the so_keepalive socket option is turned on.) The number of times does not need to be modified by default, although this value can also be shortened appropriately depending on the situation. Set to 5 more appropriate)  tcp_keeThe Palive_intvl:integer default value is  www.2cto.com   probe message frequency, multiplied by tcp_keepalive_probes to get the time to kill a connection that has not responded since the start of the probe. The default value is 75 seconds, which means that no active connections will be discarded after approximately 11 minutes. (For normal applications, this value is somewhat larger and can be changed as needed.) in particular, the Web Class Server needs to be smaller, 15 is a more appropriate value)  tcp_retries1:integer The default value is 3 before giving up the response to a TCP connection request, How many retries are required. The RFC specifies that the lowest value is 3, which is also the default value, depending on the RTO value between 3 seconds-8 minutes. (Note: This value also determines the incoming SYN connection)  tcp_retries2:integer The default value is 15 How many retries are required before dropping the TCP connection for activation (established communication status). The default value is 15, which is determined by the RTO value, which is equivalent to 13-30 minutes (RFC1122, which must be greater than 100 seconds). (This value according to the current network settings, can be appropriately changed, my network changes in order to 5)  tcp_orphan_retries:integer The default value is 7 before the near-end drop TCP connection, how many times to retry. The default value is 7, which is equivalent to 50 seconds-16 minutes, depending on the RTO. If your system is a heavily loaded Web server, you may need to lower this value, which can be a lot of resource-intensive sockets. In addition, the examination Tcp_max_orphans. (In fact, in the case of NAT, lower this value is also significant, I myself in the network environment lower this value is 3)  tcp_fin_timeout:integer default value is 60 for the local side of the socket disconnected, The time that TCP remains in the Fin-wait-2 state. The other person may be disconnected or have not ended the connection or the unpredictable process has died. The default value is 60 seconds. It used to be 180 seconds in the 2.2 version of the kernel. You can set this value, but be aware that if your machine is a heavily loaded Web server, you may be risking the risk of memory being filled with a large number of invalid datagrams,fin-wait-2 sockets is less dangerous than fin-wait-1, because they eat up to 1.5K of memory, But they exist for a longer period of time. In addition refer to Tcp_max_orphans. (In fact, when doing NAT, lower this value is also significant, I myself in the network environment to reduce the value of a)  tcp_maThe X_tw_buckets:integer default value is the maximum number of timewait sockets that the 180000  www.2cto.com   system handles at the same time. If this number is exceeded, the,time-wait socket is immediately removed and a warning message is displayed. The reason to set this limit is to protect against simple DoS attacks, but do not artificially reduce this limit, but if the network conditions need to be more than the default value, you can increase it (and perhaps increase the memory). (In fact, it is best to increase the value appropriately when doing NAT)  tcp_tw_recycle:boolean default is 0 open fast time-wait sockets recycle. Do not modify this value unless you are advised or requested by a technical expert. (It is recommended to open it when doing a NAT)
Tcp_tw_reuse:boolean The default value is 0 This file indicates whether to allow the time-wait state of the socket to be re-applied to the new TCP connection (this is very helpful for quickly restarting some services and prompting the port to be used after startup) Tcp_max The _orphans:integer default value is the maximum number of TCP sockets that the 8192 system can handle that is not part of any process. If this amount is exceeded, then the connection that is not part of any process is immediately reset and a warning message is displayed. The reason to set this limit, purely to protect against those simple DoS attacks, do not rely on this or artificially reduce this limit (this value Redhat as version set to 32768, but a lot of firewall modifications, it is recommended that the value modified to a) Tcp_abort_on_ Overflow:boolean The default value is 0 when the daemon is too busy to accept a new connection, as if the other party sends the reset message, the default value is False. This means that when the cause of the overflow is due to an accidental burst, then the connection will revert to the state. This option is only turned on when you are sure that the daemon is really unable to complete the connection request, which affects the customer's use.  (For services that are already full-loaded, this can quickly terminate the connection for the client, allowing the service program to handle the existing connection buffer, so many firewalls recommend opening it Sendmail,apache) Tcp_syncookies:boolean default value is 0 Www.2cto.com only works if Config_syncookies is selected when the kernel is compiled. When the SYN wait queue appears overflow, the syncookies is sent like the other. The aim is to prevent SYN flood attacks.
Note: This option must not be used for high-load servers that do not receive an attack, if a Synflood message appears in the log, but the investigation finds that there is no synflood attack, but that the legitimate user's connection load is too high, you should adjust other parameters to improve server performance. Reference: Tcp_max_syn_backlogtcp_synack_retriestcp_abort_on_overflowsyncookie serious breaches of the TCP protocol, which does not allow the use of TCP extensions, may cause serious performance impact on some services ( such as SMTP forwarding). (Note that this implementation, like the TCP proxy used by BSD above, is a violation of the RfC's three-time handshake for TCP connections, but is really useful for defense syn-flood.) The Tcp_stdurg:boolean default value of 0 uses the host Request interpretation feature in the TCP Urg pointer field. Most hosts use an old BSD explanation, so if you open it on Linux, you may not be able to communicate with them correctly.
 tcp_max_syn_backlog:integer for connection requests that still do not have a client acknowledgement, the maximum number that needs to be saved in the queue. For systems that exceed 128Mb of memory, the default value is 1024, below 128Mb for 128. If the server is overloaded frequently, try increasing this number. Warning! If you set this value to greater than 1024, it is best to modify the tcp_synq_hsize, inside the include/net/tcp.h to keep tcp_synq_hsize*16<=tcp_max_syn_backlog, and into the core. (SYN flood attack uses TCP protocol to spread the defect of handshake, fake source IP address to send a large number of Tcp-syn semi-open connection to the target system, eventually causing the target system socket queue resources exhausted and unable to accept the new connection. In order to deal with this attack, modern UNIX systems generally use multi-connection queue processing to buffer (rather than resolve) this attack, is to use a basic queue to handle the normal full-connected application (connect () and accept ()), is to use another queue to separate semi-open connections. This dual-queue approach, combined with some other system kernel measures (such as syn-cookies/caches), can be used to mitigate small-scale SYN flood attacks more effectively (facts prove <1000p/s) Increasing the SYN queue length can accommodate more network connections waiting for the connection, so you might consider increasing the value for the server.  www.2cto.com   tcp_window_scaling:integer Default value is 1 This file indicates whether the sliding window size of the TCP/IP session is set to be variable. The value of the parameter is a Boolean value, 1 is variable, and 0 indicates immutable. TCP/IP typically uses a maximum of 65535 bytes of Windows, which may be too small for high-speed networks, which, if enabled, can increase the TCP/IP sliding window size by several orders of magnitude, thereby increasing the ability to transmit data (RFC 1323). (for the average hundred m network, the shutdown will reduce the overhead, so if it is not a high-speed network, you can consider setting to 0)  tcp_timestamps:boolean default value of 1Timestamps is used in some other things, can guard against those forged sequence Number. A 1G broadband line may re-encounter the old sequence number with out-of-line value (if it was due to the last generation). Timestamp will let it know it's an ' old bag '. (TheFile indicates whether it is enabled to enable calculation of RTT in a more precise way than a timeout (RFC 1323); This option should be enabled for better performance. The  tcp_sack:boolean default value of 1 uses selective ack, it can be used to find a specific missing datagram---thus helps to quickly recover the status. This file indicates whether a selective answer (selective acknowledgment) is enabled, which can improve performance by selectively answering packets received by a random order (which allows the sender to send only the missing segment). (This option should be enabled for WAN traffic, but this increases CPU usage.) The  tcp_fack:boolean default value of 1 turns on the fack congestion avoidance and fast retransmission feature. (Note that when Tcp_sack is set to 0, this value is not valid even if set to 1) the  tcp_dsack:boolean default value of 1 allows TCP to send "two identical" sack.   www.2cto.com  tcp_ecn:boolean The default value of 0 opens the TCP Direct congestion notification feature. The  tcp_reordering:integer default value is the maximum number of reordered datagrams in a 3TCP stream. (It is generally recommended to adjust this value slightly larger, such as 5)  tcp_retrans_collapse:boolean The default value of 1 for some of the bugs of the printer to provide compatibility for their bugs. (This support is generally not required, you can turn it off)  tcp_wmem (3 integer variables): Min, default, Maxmin: Reserve the minimum amount of memory used for sending buffers for TCP sockets. Each TCP socket can be used after it is recommended. The default value is 4096 (4K).  default: The amount of memory reserved for a TCP socket for sending buffering, which, by default, affects the Net.core.wmem_default value used by other protocols, typically lower than the value of Net.core.wmem_default. The default value is 16384 (16K).  max: The maximum amount of memory used for the TCP socket send buffer. This value does not affect Net.core.wmem_max, and the "static" selection parameter so_sndbuf is not affected by this value. The default value is 131072 (128K). (for the server, increasing the value of this parameter is helpful for sending data, in my network environment, modified in order to 51200 131072 204800)  tcp_rmem (3 integer variables): Min, default, Maxmin: The amount of memory reserved for the TCP socket for receiving buffering, even in the case of memory tension, TCP The socket will have at least so much memory to receive the buffer, with a default value of 8K.  default: The amount of memory reserved for the TCP socket to receive buffering, which, by default, affects the Net.core.wmem_default value used by other protocols. This value determines the TCP window size of 65535 in the case of Tcp_adv_win_scale, Tcp_app_win, and tcp_app_win=0 default values. The default value is 87380 max: The maximum amount of memory used for the TCP socket receive buffer. This value does not affect Net.core.wmem_max, and the "static" selection parameter so_sndbuf is not affected by this value. The default value is 128K. The default value is 87380*2 bytes. (as you can see, the. Max setting is preferably twice times the default, and for Nat it should be added for 51200 131072 204800)  tcp_mem (3 integer variables): Low, pressure, Highlow: TCP does not consider freeing memory when TCP uses a number of memory pages that are below this value. (Ideally, this value should match the 2nd value assigned to TCP_WMEM-this 2nd value indicates that the maximum page size is multiplied by the maximum number of concurrent requests divided by the page size (131072 * 300/4096).)  www.2cto.com   pressure: When TCP uses more memory pages than this value, TCP attempts to stabilize its memory usage, enter pressure mode, Exits the pressure state when memory consumption is below the low value. (Ideally this value should be the maximum amount of total buffer size that TCP can use (204800 * 300/4096).)  high: Allows all TCP sockets to be used to queue buffered datagrams for the amount of pages. (If this value is exceeded, the TCP connection will be rejected, which is why you should not make it too conservative (512000 * 300/4096).) In this case, the value provided is very large, it can handle many connections, is expected 2.5 times times, or so that the existing connection can transmit 2.5 times times the data. My network is 192000 300.732000)   In general, these values are calculated based on the amount of system memory when the system starts.  tcp_app_win:integer Default value is 31 reserved max (Window/2^tcp_app_win, MSS) number of Windows due to application buffering. When 0 indicates that no buffering is required. The  tcp_adv_win_scale:integer default value is 2 to compute the buffering overhead bytes/2^tcp_adv_win_scale (if Tcp_adv_win_scale > 0) or bytes-bytes/2^ ( -tcp_adv_win_scale) (if Tcp_adv_win_scale <= 0).  tcp_rfc1337:boolean default value of 0 This switch initiates a fix to the "TCP time-wait assassination crisis" described in RFC1337. When enabled, the kernel discards those RST packets destined for the time-wait state TCP socket. The  tcp_low_latency:boolean default value of 0 allows the TCP/IP stack to accommodate low latency in high throughput situations; This option is disabled for the general scenario. (But when building a Beowulf cluster, it's helpful to open it)   www.2cto.com   tcp_westwood:boolean The default value of 0 enables the sender-side congestion control algorithm, which can maintain the evaluation of throughput, And try to optimize the overall utilization of the bandwidth; This option should be enabled for WAN traffic. The  tcp_bic:boolean default value of 0 enables Binary increase congestion for fast long distance networks, which makes better use of links that operate at GB speed, and this option should be enabled for WAN traffic.

How to configure TCP parameter settings under Linux

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.