Linux System Network Optimization "Turn" __linux

Source: Internet
Author: User
Tags ack memory usage reserved

Linux Network
1, optimize the network device receive queue
net.core.netdev_max_backlog=3000
This file represents the maximum number of packets that are allowed to be sent to the queue at a rate that each network interface receives packets at a faster rate than the kernel processes those packets.
Default value: Red Hat Linux release 9 (Shrike) defaults to 300
Rhel5 defaults to 1000
The recommended value is 3000
2, Net.ipv4.conf.lo.accept_redirects
Accept_redirects: This parameter is located in/proc/sys/net/ipv4/conf/dev/accept_redirects (DEV represents the specific network interface), if your host has two routers in the network segment, You set one to the default gateway, but when the gateway receives your IP packet and finds that the IP packet must go through another router, the router sends you a so-called "redirect" ICMP packet that forwards the IP packet to another router. The parameter value is a Boolean value, 1 indicates that this type of redirected ICMP information is received, and 0 is ignored. The default value is 0 on a Linux host that acts as a router, and the default value is 1 on a typical Linux host. It is recommended that you change it to 0 or use security redirection (see below) to eliminate security risks.
Net.ipv4.conf.lo.accept_redirects=0
Net.ipv4.conf.all.accept_redirects=0
Net.ipv4.conf.eth0.accept_redirects=0
Net.ipv4.conf.default.accept_redirects=0
3, turn on the time-wait socket Reuse feature, which is very effective for Web servers with a large number of connections.
Net.ipv4.tcp_tw_recyle=1
Net.ipv4.tcp_tw_reuse=1
/proc/sys/net/ipv4/tcp_tw_recyle)
Turn on fast time-wait sockets recycling. Unless you are advised or requested by a technical expert, do not follow
Modify this value.
Default setting: 0
One)/proc/sys/net/ipv4/tcp_tw_reuse
This file indicates whether the time-wait-state socket is allowed to reapply for a new TCP connection.
Default setting: 0

The commands below are used to tune a server with a very large number of connections.
• New connections can reuse time-wait sockets for servers that support many connections at the same time. This is very effective for Web servers:
If you use this command, you also need to start the quick loop function of the time-wait socket State:
Figure Figure 10-7 shows that these features are enabled and the number of connections is significantly reduced. Because each TCP transport contains the remote client's protocol information cache, it can improve performance. The information in the cache that holds round-trip time, maximum segment size, and congestion window.

4, reduce the time in the Fin-wait-2 connection state, so that the system can handle more connections.
Net.ipv4.tcp_fin_timeout=30
Tcp_fin_timeout: During a TCP session, at the end of a session, a first sends a FIN packet to B,
After obtaining the ACK confirmation package for B, a enters the fin WAIT2 state waiting for the fin packet of B and sends an ACK acknowledgement package to B.
This parameter is used to set the timeout for a to enter the fin WAIT2 state waiting for the other fin packet.
Release the session voluntarily if the time is up and you are still not receiving the other's fin packet.
The parameter value is an integer, in seconds, and the default is 180 seconds.
For a socket connection that is disconnected from the end, TCP remains in the Fin-wait-2 state for a time. Each other May
Disconnects or does not end the connection or unexpected process death. The default value is 60 seconds. Past in
The 2.2 version of the kernel is 180 seconds. You can set this value, but be aware that if your machine is negative
A heavily loaded Web server, you may be risking memory being filled with a large number of invalid datagrams,
Fin-wait-2 sockets are less dangerous than fin-wait-1 because they eat up to 1.5K
of memory, but they exist for a longer time. In addition reference Tcp_max_orphans.
• Parameter tcp_fin_timeout is the time when the socket is closed, keeping the fin-wait-2 state. A TCP connection begins with a three-segment syn sequence, ending with a three-segment fin sequence. No data is retained. By changing the value of Tcp_fin_timeout, the time to process new connections from the fin sequence to memory is shortened, Improve performance. Before you change this value, carefully monitor to avoid memory overflow due to dead sockets.

5, reduce the TCP keepalive connection detection time, so that the system can handle more connections.
net.ipv4.tcp_keepalive_time=1800

/proc/sys/net/ipv4/tcp_keepalive_time
This file represents the number of seconds that will be required between the time the data is no longer transferred to and the connection signal is sent to the connection.
Default setting: 7200 (2 hours)
One problem with the server is that a lot of the connections are open but not used in a large number of TCP connections at the same time. The TCP keepalive feature detects these connections and, by default, discards after 2 hours. 2 hours can lead to excessive memory usage and reduced performance. So changing to 1800 seconds (30 minutes) is a better choice:

6, increasing the TCP SYN queue length so that the system can handle more concurrent connections.
     net.ipv4.tcp_max_syn_backlog=8192
    
      /proc/sys/net/ipv4/tcp_max_syn_backlog
      For connection requests that are still not receiving client confirmation, you need to save the maximum number in the queue. For systems with
      over 128Mb of memory, the default value is 1024, or 128 below 128Mb. If the
      server is constantly overloaded, you can try to increase that number. Warning. If you set this value to be greater than
     1024, it is best to modify the tcp_synq_hsize inside include/net/tcp.h to keep
      tcp_synq_hsize*16 0) or bytes-bytes/2^ (-tcp_adv_win_scale) (such as
      Fruit Tcp_adv_win_scale 128Mb 32768-610000) The system ignores all requests sent to its own
      ICMP echo request or those broadcast addresses.
      When the server is heavily loaded or there are many clients that are very long delay connection failures, the number of half-open connections can increase. This is very common for Web servers, especially when there are many dial-up customers. These half-open connections are saved in the backlog connections queue. Set this value to a minimum of 4096 (the default is 1024). Even if the server does not receive such a connection, setting this value can also prevent denial-of-service (Syn-flood) attacks.

7, 1 optimize the system socket buffer
net.core.rmem_max=16777216
net.core.wmem_max=16777216
5)/proc/sys/net/core/rmem_default
This file specifies the default value, in bytes, that receives the socket buffer size.
Default setting: 110592
6)/proc/sys/net/core/rmem_max
This file specifies the maximum size, in bytes, of the receive socket buffer.
Default setting: 131071
7)/proc/sys/net/core/wmem_default
This file specifies the default value, in bytes, for the size of the send socket buffer.
Default setting: 110592
8)/proc/sys/net/core/wmem_max
This file specifies the maximum size of the send socket buffer, in bytes.
Default setting: 131071
• For all protocol queues, set maximum system send cache (WMEM) and receive cache (RMEM) to 8MB
These settings specify the amount of memory allocated for TCP sockets when it is created. In addition, you use the following command to send and receive caching. This command has three values: minimum, initial, and maximum values:
The third value must be less than or equal to Wmem_max and Rmem_max.

8 Open the TCP SYN cookie option to help protect the server from Syncflood attacks.
Net.ipv4.tcp_syncookies=1
/proc/sys/net/ipv4/tcp_syncookies
The file indicates whether the TCP Synchronization tab (Syncookie) is turned on and the kernel must have the Config_syn_cookies key open for compilation. Synchronization labels (syncookie) prevent a socket from overloading when there are too many attempts to connect.

Tcp_syncookies parameter type: integral type
Only occurs when Config_syncookies is selected at the kernel compile time. When a SYN wait queue appears overflow, it sends a syncookies like the other. The purpose is to prevent SYN flood attacks. The default value is False.

Note: This option must not be used for those high load servers that do not receive an attack, if the Synflood message appears in the log, but the survey found no Synflood attack, but the reason that the legitimate user's connection load is too high, you should adjust other parameters to improve server performance. Reference: Tcp_max_syn_backlog, Tcp_synack_retries, Tcp_abort_on_overflow.

Syncookie severely violates the TCP protocol and does not allow the use of TCP extensions, which can cause severe performance effects (such as SMTP forwarding) on some services.
Open TCP SYN Cookies to protect the server from Syn-flood attacks, including service depending on denial-of-service (DoS) or distributed service rejection distributed Denial-of-service (DDoS) ( Red Hat Enterprise Linux as) only

9 Turn off routing-related features
Net.ipv4.conf.lo.accept_source_route=0
Net.ipv4.conf.all.accept_source_route=0
Net.ipv4.conf.eth0.accept_source_route=0
Net.ipv4.conf.default.accept_source_route=0
Net.ipv4.conf.lo.accept_redirects=0
Net.ipv4.conf.all.accept_redirects=0
Net.ipv4.conf.eth0.accept_redirects=0
Net.ipv4.conf.default.accept_redirects=0
Net.ipv4.conf.lo.secure_redirects=0
Net.ipv4.conf.all.secure_redirects=0
Net.ipv4.conf.eth0.secure_redirects=0
Net.ipv4.conf.default.secure_redirects=0
Net.ipv4.conf.lo.send_redirects=0
Net.ipv4.conf.all.send_redirects=0
Net.ipv4.conf.eth0.send_redirects=0
Net.ipv4.conf.default.send_redirects=0
/proc/sys/net/ipv4/*/secure_redirects
In fact, the so-called "security redirect" is to accept only the "redirect" ICMP packets from the gateway. This parameter is
Used to set the security redirect feature. The parameter value is a Boolean value, 1 is enabled, 0 is forbidden, and the default value
To enable.
Send_redirects-Boolean type
If it is router, send the redirect message, the default value is True

Accept_redirects-Boolean type
Send and receive ICMP Redirect messages. Default to True for a host, false for use as a router.

• The following command causes the server to ignore redirects from the server being included in the gateway. Because redirects can be used to attack, we only accept redirects that have a reliable source.

Alternatively, you can configure to accept or reject any ICMP redirects. ICMP redirection is the mechanism by which routers transmit routing information. For example, when the gateway receives the Internet data from the host network, the gateway can send redirect information to a host. The gateway checks the routing table for the address of the next gateway, and the second gateway routes the datagram to the destination network. The redirect commands are turned off as follows:
• If this server is not a router, it will not send redirects, so you can turn off the feature:

10 Optimizing TCP receive/Send buffers
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
)/proc/sys/net/ipv4/tcp_wmem
The file contains 3 integer values, respectively: Min,default,max
Min: reserves the minimum memory value for sending buffers for TCP sockets. You can use it for each TCP socket.
Default: The amount of memory that is reserved for TCP sockets to send buffers, which affects defaults in Net.core.wmem used by other protocols, typically below the value of default in Net.core.wmem.
Max: Reserve The maximum memory value for a TCP socket to send a buffer. The value does not affect Net.core.wmem_max, and today SO_SNDBUF is not affected by this value. The default value is 128K.
Default setting: 4096 16384 131072
)/proc/sys/net/ipv4/tcp_rmem
The file contains 3 integer values, respectively: Min,default,max
Min: The amount of memory reserved for the TCP socket to receive buffering, even if there is a tension in memory, the TCP socket will have at least so much memory to receive the buffer.
Default: The amount of memory that is reserved for TCP sockets to receive buffering, which affects the value of defaults in the Net.core.wmem used by the other protocols. This value determines the TCP window size of 65535 for the default values of Tcp_adv_win_scale, Tcp_app_win, and Tcp_app_win.
Max: Reserve The maximum memory value for a TCP socket to receive buffering. The value does not affect the value of Max in Net.core.wmem, and today SO_SNDBUF is not affected by this value.


Tcp_wmem-a vector of three integers: Min, default, max
Min: reserves the minimum memory value for sending buffers for TCP sockets. Each TCP socket can be used after it is recommended. The default value is 4K.
Default: The amount of memory that is reserved for TCP sockets to send buffers, which affects net.core.wmem_default values used by other protocols, typically below the Net.core.wmem_default value. The default value is 16K.
Max: The maximum memory value used for TCP sockets to send buffers. The value does not affect Net.core.wmem_max, and today SO_SNDBUF is not affected by this value. The default value is 128K.

Tcp_rmem-a vector of three integers: Min, default, max
Min: The amount of memory that is reserved for the TCP socket to receive buffering, even if there is a tension in memory, the TCP socket will have at least so many memory to receive the buffer, the default value is 8K.
Default: The amount of memory that is reserved for TCP sockets to receive buffering, which affects the Net.core.wmem_default value used by the other protocols. This value determines the TCP window size of 65535 when the Tcp_adv_win_scale, Tcp_app_win, and tcp_app_win:0 are the default values.
Max: The maximum memory value for the TCP socket to receive buffering. The value does not affect Net.core.wmem_max, and today SO_SNDBUF is not affected by this value. The default value is 128K. The default value is 87380*2 bytes.

11,

Configure the server to refuse to accept broadcast storms or Smurf attacks attacks:

12,
• Some routers send invalid responses to broadcast frames, each generating a warning and generating a log in the kernel. These responses can be ignored:

13,
# don ' t cache Ssthresh from previous connection Net.ipv4.tcp_no_metrics_save = 114,# increase the maximum number of skb- Heads to be cachednet.core.hot_list_length = 25615,# increase the tcp-time-wait buckets pool Sizenet.ipv4.tcp_max_tw_buck ETS = 36000016# Lower syn Retry ratesnet.ipv4.tcp_synack_retries = 2net.ipv4.tcp_syn_retries = 317,# Set tcp re-ordering V Alue in kernel to ' 5′net.ipv4.tcp_reordering = 5

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.