Linux system optimization sysctl

Source: Internet
Author: User
Tcp_syn_retries: the default INTEGER value is 5. for a new connection, the number of SYN connection requests sent by the kernel is determined to discard. It should not be greater than 255. the default value is 5, corresponding to the left-right time of 180 seconds. (For a network with high load and good physical communication, this value is too high and can be changed to 2 ....

 

Tcp_syn_retries

: INTEGER

The default value is 5.

For a new connection, the kernel determines how many SYN connection requests are sent before giving up. It should not be greater than 255. the default value is 5, corresponding to the left-right time of 180 seconds. (For a network with high load and good physical communication, this value is too high and can be changed to 2. this value is only for external connections. for incoming connections, it is set by tcp_retries1.

Determined)

 

Tcp_synack_retries: INTEGER

The default value is 5.

For the remote connection request SYN, the kernel sends the SYN + ACK datagram to confirm receipt of the previous SYN connection request packet. This is the second step of the so-called threeway handshake mechanism. The number of SYN + ACK sent by the kernel before the connection is abandoned. It should not be greater than 255. the default value is 5, corresponding to the left-right time of 180 seconds. (According to the above tcp_syn_retries

To determine the value)

 

Tcp_keepalive_time: INTEGER

The default value is 7200 (2 hours)

When keepalive is enabled, the frequency at which TCP sends the keepalive message. (Due to factors such as network attacks, this attack is very frequent. some cu friends once mentioned that if a connection is established on both sides, if no data or rst/fin messages are sent, will the duration be 2 hours or empty connection attacks?

Tcp_keepalive_time is used to prevent this situation. I personally changed the value to 1800 seconds when performing the nat service)

 

Tcp_keepalive_probes: INTEGER

The default value is 9.

TCP sends a keepalive test to determine the number of times the connection has been disconnected. (Note: it is sent only when the SO_KEEPALIVE socket option is enabled. the number of requests does not need to be modified by default. of course, this value can be shortened as appropriate. it is more appropriate to set it to 5)

 

Tcp_keepalive_intvl: INTEGER

The default value is 75.

The frequency of probe message sending. multiply by tcp_keepalive_probes to get the time for the connection that has not responded since the start of the probe. The default value is 75 seconds, indicating that connections without activity will be dropped after about 11 minutes. (For common applications, this value is too large and can be changed as needed. especially for web servers, this value needs to be changed to a smaller value. 15 is a suitable value)

 

Tcp_retries1: INTEGER

The default value is 3.

Before giving up responding to a TCP connection request? The number of retries required. What is the minimum value required by RFC? Which is the default value? The RTO value is about 3 to 8 minutes. (Note: This value also determines the syn connection)

 

Tcp_retries2: INTEGER

The default value is 15.

Before discarding the activated TCP connection (established communication status? The number of retries required. The default value is 15, which is determined by the RTO value, equivalent to 13-30 minutes (RFC1122 requires that the value must be greater than 100 seconds ). (this value can be adjusted to 5 according to the current network settings)

 

Tcp_orphan_retries: INTEGER

The default value is 7.

Before dropping the TCP connection in the near end? The number of retries. The default value is 7? Equivalent to 50-16 minutes? Depends on RTO. If your system is a web server with a large load? So it may need to be lowered? Such sockets may consume a lot of resources. Tcp_max_orphans

. (In fact, lowering the value of NAT is also a significant benefit. in my own network environment, reducing the value to 3)

 

Tcp_fin_timeout: INTEGER

The default value is 60.

For local-end closed socket connections, TCP stays in the FIN-WAIT-2 state. The other party may disconnect or never end the connection or unexpected process will die. The default value is 60.

Seconds. In the past, the kernel of version 2.2 was 180 seconds. Can you set this value? But do you need to pay attention? If your machine is a web server with heavy load? Are you at risk of memory being filled with a large number of invalid data packets? The risk of FIN-WAIT-2 sockets is lower than that of FIN-WAIT-1? Because they only eat 1.5 kB of memory at most? However, they exist for a longer time. For more information, see tcp_max_orphans. (In fact, lowering the value of NAT is also a significant benefit. in my own network environment, this value is reduced to 30)

 

Tcp_max_tw_buckets: INTEGER

The default value is 180000.

The maximum number of timewait sockets simultaneously processed. If this number is exceeded? The time-wait socket is immediately cut down and a warning message is displayed. Is this restriction set? Simply to defend against those simple DoS attacks? Do not artificially reduce this restriction? But? If more network conditions are required than default values? You can increase it (or increase the memory ). (In fact, it is best to add this value when performing NAT)

 

Tcp_tw_recycle: BOOLEAN

The default value is 0.

Enable quick TIME-WAIT sockets recycle. Unless recommended or required by technical experts? Do not modify this value at will. (We recommend that you enable it when performing NAT)

 

 

 

 

 

 

Tcp_tw_reuse: BOOLEAN

The default value is 0.

This file indicates whether to allow re-application of a socket in the TIME-WAIT status to be used for a new TCP connection, it is very helpful to prompt that the port has been used after it is started)

 

Tcp_max_orphans: INTEGER

The default value is 8192.

The maximum number of TCP sockets that the system can process for any process. What if the number is exceeded? Connections that do not belong to any process will be immediately reset and a warning will be displayed. Is this restriction set? Simply to defend against those simple DoS attacks? Do not rely on this or manually reduce this limit (this value is set to 32768 in the Redhat AS version, but it is recommended that this value be modified to 2000 when many firewalls are modified)

 

Tcp_abort_on_overflow: BOOLEAN

The default value is 0.

When the daemon is too busy to accept new connections, it is like the other party sending a reset message. the default value is false. This means that when the cause of overflow is an accidental burst, the connection will be restored. This option is enabled only when you are sure that the Daemon cannot complete the connection request. this option affects your use. (For services such as sendmail and apache that are already fully loaded, this can quickly cause the client to terminate the connection and give the service program the opportunity to process the buffer of existing connections. Therefore, we recommend that you enable sendmail on many firewalls)

 

Tcp_syncookies: BOOLEAN

The default value is 0.

Only CONFIG_SYNCOOKIES are selected during kernel compilation. Syncookies are sent when the syn wait queue overflows. The objective is to prevent syn flood attacks.

Note: This option cannot be used on high-load servers that do not receive Attacks. if a synflood message appears in the log, but the investigation finds that the synflood attack is not received, the reason is that the connection load of legal users is too high. you should adjust other parameters to improve server performance. Refer:

Tcp_max_syn_backlog

Tcp_synack_retries

Tcp_abort_on_overflow

Syncookie seriously violates the TCP protocol and does not allow the use of TCP extensions, which may cause serious performance impact on some services (such as SMTP forwarding ). (Note: This implementation is the same as the tcp proxy used in BSD. it violates the three-way handshake implementation of tcp connections in RFC, but it is useful for defending syn-flood .)

 

Tcp_stdurg: BOOLEAN

The default value is 0.

Use the host request interpretation function in the TCP urg pointer field. Most hosts use old BSD interpretations, so if you open it in Linux? It may lead to failure to communicate with them correctly.

 

 

 

 

 

 

Tcp_max_syn_backlog

: INTEGER

For connection requests that are still not confirmed by the client? The maximum number of messages to be saved in the queue. For systems with more than 128 Mb of memory? The default value is 1024.

? If it is less than 128 Mb, it is 128. If the server is often overloaded? You can try to add this number. Warning? If you set this value to greater than 1024? It is best to modify include/net/tcp. h

TCP_SYNQ_HSIZE

? To keep TCP_SYNQ_HSIZE * 16 <= tcp_max_syn_backlog

? And compiled into the core. (SYN Flood attacks spread handshaking defects using TCP protocol, counterfeit fake source IP address to send a large number of TCP-SYN semi-open connection to the target system, as a result, the Socket queue resources of the target system are exhausted and new connections cannot be accepted. To cope with such attacks, modern Unix systems generally use multi-connection queue processing to buffer (rather than solve) such attacks, connect () and Accept () are normally processed using a basic queue. the connection is separately stored and semi-open in another queue. This dual-queue processing method can effectively mitigate small-scale Syn Flood attacks when combined with other system kernel measures (such as SYN-Cookies/Caches) (it turns out <1000 p/s) increasing the length of the SYN queue can accommodate more network connections waiting for connection. Therefore, you can increase the length of the Server .)

 

Tcp_window_scaling: INTEGER

The default value is 1.

This file indicates whether the size of the hop window of the TCP/IP session is variable. The parameter value is a Boolean value. if it is 1, it indicates variable. if it is 0, it indicates non-variable. TCP/IP usually uses a window of up to 65535 bytes. for high-speed networks, this value may be too small. if this function is enabled, the TCP/IP sliding window size can be increased by several orders of magnitude to improve the data transmission capability (RFC 1323 ). (For an ordinary M network, disabling it will reduce the overhead, so if it is not a high-speed network, you can consider setting it to 0)

 

Tcp_timestamps: BOOLEAN

The default value is 1.

Timestamps is used in other things? This prevents forged sequence numbers. A 1G broadband line may re-encounter an old sequence number with an out-of-line value (if it was generated last time ). Timestamp will let it know that this is an 'old package '. (This file indicates whether to enable RTT computing in a more accurate way than timeout resend (RFC 1323). This option should be enabled for better performance .)

 

Tcp_sack: BOOLEAN

The default value is 1.

Use Selective ACK? It can be used to find specific lost Datagram, which helps to quickly restore the status. This file indicates whether Selective Acknowledgment is enabled ), this can improve the performance by selectively responding to messages received in disordered order (this allows the sender to send only lost packets ). (This option should be enabled for Wan communication, but this will increase CPU usage .)

 

Tcp_fack: BOOLEAN

The default value is 1.

Enable the FACK congestion avoidance and fast retransmission functions. (Note: When tcp_sack is set to 0, this value is invalid even if it is set to 1)

 

Tcp_dsack: BOOLEAN

The default value is 1.

Allow TCP to send "two identical" SACK messages.

 

Tcp_ecn: BOOLEAN

The default value is 0.

Enable the direct congestion notification function of TCP.

 

Tcp_reordering: INTEGER

The default value is 3.

Maximum number of datagram in a TCP stream. (We recommend that you slightly adjust this value, for example, 5)

 

Tcp_retrans_collapse: BOOLEAN

The default value is 1.

It provides compatibility with bugs for some printers. (You can disable this feature if you do not need this feature)

 

Tcp_wmem (3 INTEGER variables): min, default, max

Min: The minimum memory size reserved for the TCP socket for sending buffering. Each tcp socket can be used later. The default value is 4096 (4 K ).

 

Default: the amount of memory reserved for the TCP socket for sending buffering. by default, this value affects the net. core. wmem_default used by other protocols.

Value, which is generally lower than the value of net. core. wmem_default. The default value is 16384 (16 K ).

 

Max: maximum memory used for TCP socket sending buffer. This value does not affect net. core. wmem_max. the "static" parameter SO_SNDBUF is not affected. The default value is 131072 (128 K ). (For the server, adding this parameter value is helpful for sending data. in my network environment, it is changed to 51200 131072 204800)

 

Tcp_rmem (3 INTEGER variables): min, default, max

Min: reserved the amount of memory used to receive the buffer for the TCP socket. even if the memory is insufficient, the tcp socket will have at least so many memories for receiving the buffer. the default value is 8 kB.

 

Default: the amount of memory reserved for TCP socket for receiving buffering. by default, this value affects net. core. wmem_default used by other protocols.

Value. This value determines that the TCP window size is 65535 when tcp_adv_win_scale, tcp_app_win, and tcp_app_win = 0 by default. The default value is 87380.

 

Max: maximum memory used for TCP socket receiving buffer. This value does not affect net. core. wmem_max. the "static" parameter SO_SNDBUF is not affected. The default value is 128 K. The default value is 87380*2 bytes. (We can see that the. max setting is preferably twice the default setting. for NAT, it is mainly necessary to increase it, and my network is 51200 131072 204800)

 

Tcp_mem (3 INTEGER variables): low, pressure, high

Low: When TCP uses the number of memory pages lower than this value, TCP does not consider releasing the memory. (Ideally, this value should match the 2nd values specified to tcp_wmem-the 2nd values indicate that, the maximum page size multiplied by the maximum number of concurrent requests divided by the page size (131072*300/4096 ).)

 

Pressure: When TCP uses the number of memory pages that exceed this value, TCP tries to stabilize its memory usage and enters the pressure mode. when the memory consumption is lower than the low value, it exits the pressure state. (Ideally, this value is the maximum buffer size (204800*300/4096) that can be used by TCP ).)

 

High: the number of pages that allow all tcp sockets to be used for queuing and buffering data packets. (If this value is exceeded, the TCP connection will be rejected, which is why it should not be too conservative (512000*300/4096. In this case, it provides a great deal of value. it can process many connections, which is 2.5 times as expected; or it can make existing connections transmit 2.5 times of data. My network is 192000 300000 732000)

 

Generally, these values are calculated based on the number of system memory at system startup.

 

Tcp_app_win: INTEGER

The default value is 31.

Retain the max (window/2 ^ tcp_app_win, mss) number of windows due to application buffering. If the value is 0, no buffer is required.

 

Tcp_adv_win_scale: INTEGER

The default value is 2.

Computing buffer overhead bytes/2 ^ tcp_adv_win_scale (if tcp_adv_win_scale> 0) or bytes-bytes/2 ^ (-tcp_adv_win_scale) (if tcp_adv_win_scale <= 0 ).

 

 

 

 

 

 

Tcp_rfc1337: BOOLEAN

The default value is 0.

This switch can be enabled to fix the "tcp time-wait assassination crisis" problem described in RFC1337. When enabled, the kernel discards the RST packets sent to the time-wait status TCP socket.

 

 

 

 

 

 

Tcp_low_latency: BOOLEAN

The default value is 0.

Allow TCP/IP stack to adapt to low latency in high throughput; this option is generally disabled. (But it is helpful to open the Beowulf cluster when building it)

 

 

 

 

 

 

Tcp_westwood: BOOLEAN

The default value is 0.

Enable the sender's congestion control algorithm to maintain the Throughput evaluation and try to optimize the overall bandwidth utilization. this option should be enabled for WAN communication.

 

 

 

 

 

 

Tcp_bic: BOOLEAN

The default value is 0.

Enable Binary Increase Congestion for a fast long-distance network; this allows for better access to links for operations at the GB speed; this option should be enabled for WAN communication.

 

 

 

 

 

 

 

 

 

 

 

 

# In the following section, we recommend that you disable syn flood attacks.

 

 

 

Sysctl-w net. ipv4.tcp _ syncookies = 1

# Tcp syncookie, disabled by default

 

 

 

Sysctl-w net. ipv4.tcp _ max_syn_backlog = 1280

# Syn queue. the default value is 1024.> 1280 may be unstable. you need to modify the kernel source code parameters.

 

 

 

Sysctl-w net. ipv4.tcp _ synack_retries = 2

# Number of retries in syn-ack handshake status. the default value is 5. the number of retries is changed to 1 or 2 in syn-flood attacks.

 

 

 

Sysctl-w net. ipv4.tcp _ syn_retries = 2

# Number of external syn handshake retries. the default value is 4.

 

 

 

 

 

 

 

 

 

# The following section deals with tcp connect connection depletion attacks. if The iptables connlimit module is enabled, it can be disabled.

 

 

 

# Use it with caution due to serious connection performance impact and unstable factors

 

 

 

Sysctl-w tcp_tw_recycle = 1

#0 by default, tw fast recovery

 

 

 

Sysctl-w tcp_tw_reuse = 1

#0 by default, tw reuse

 

 

 

Sysctl-w tcp_keepalive_intvl = 60

# Default 75, tcp keeplive probe polling time

 

 

 

Sysctl-w tcp_keepalive_probes = 3

#9 by default, tcp keeplive probe polling times

 

 

 

Sysctl-w tcp_keepalive_time = 1800

# Default 7200, tcp keeplive time

 

 

 

Sysctl-w tcp_fin_timeout = 30

# Default value: 60. tcp fin status timeout time

 

 

 

# Sysctl-w net. ipv4.tcp _ retries1 = 2

# Tcp connection retransmission parameters, use with caution

 

 

 

# Sysctl-w net. ipv4.tcp _ retries2 = 8

 

 

 

 

 

 

Sysctl-w net. ipv4.ip _ conntrack_max = 65535

# Increasing the iptables status tracking table

 

 

 

Bytes -----------------------------------------------------------------------------------

 

 

Reasons for CLOSE_WAIT status generation

First, we know that if our server program APACHE is in the CLOSE_WAIT status, it means the socket is passively closed!

If the CLIENT breaks the current connection, the two parties need four packages to close the TCP connection:

Client ---> FIN ---> Server

Client <--- ACK <--- Server

 

At this time, the Client is in the FIN_WAIT_2 state, while the Server program is in the CLOSE_WAIT state.

Client <--- FIN <--- Server

When the Server sends FIN to the Client, the Server is set to the LAST_ACK state.

Client ---> ACK ---> Server

When the Client responds to ACK, the socket of the Server is actually set to CLOSED.

The Server program is in the CLOSE_WAIT state, instead of the LAST_ACK state. it indicates that no FIN has been sent to the Client, so there may be a lot of data to be sent or other work to be done before closing the connection, as a result, the FIN packet is not sent.

Generally, a CLOSE_WAIT will last for at least two hours. If a rogue writes a program specially, it will create a bunch of CLOSE_WAIT for you, consuming

Your resources usually fail to be released, and the system has fixed the crash.

You can only modify the TCP/IP parameters to shorten the time: modifying the tcp_keepalive _ * series parameters helps solve this problem.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.