Optimize Linux kernel parameters

Vim/etc/sysctl. conf1, net. ipv4.tcp _ max_syn_backlog = 65536 records the maximum number of connection requests that have not received confirmation from the client. For systems with over 1024 MB of memory, the default value is 128. for systems with less than MB of memory, the default value is. The SYNFlood attack uses the TCP protocol to spread the handshaking defect, forged false source IP address to send a large number of TCP-SYN half

Vim/etc/sysctl. conf

1. net. ipv4.tcp _ max_syn_backlog = 65536

The maximum number of connection requests that have not received confirmation from the client. For systems with over 1024 MB of memory, the default value is 128. for systems with less than MB of memory, the default value is.

SYN Flood attacks use the TCP protocol to spread handshaking defects, counterfeit fake source IP address to send a large number of TCP-SYN semi-open connection to the target system, and eventually lead to the target system Socket queue resource depletion and unable to accept new connections. To cope with such attacks, modern Unix systems generally use multi-connection queue processing to buffer (rather than solve) such attacks, it is a fully connected application (Connect () and Accept () that processes normally using a basic queue. it is a semi-open connection that is separately stored in another queue.

This dual-queue processing method can effectively mitigate small-scale Syn Flood attacks when combined with other system kernel measures (such as SYN-Cookies/Caches) (it turns out <1000 p/s) increasing the SYN queue length can accommodate more network connections waiting for connection. generally, many websites under SYN Flood attack have a large number of SYN_RECV states. Therefore, increasing the tcp_max_syn_backlog value can increase the syn attack resistance capability.

2. net. core. netdev_max_backlog = 32768

The maximum number of packets that can be sent to the queue when each network interface receives packets faster than the kernel processes these packets.

3. net. core. somaxconn = 32768

Adjust the number of concurrent TCP connections initiated by the system at the same time. you may need to increase the connection reserve value to cope with a large number of sudden incoming connection requests. If you receive a large number of connection requests at the same time, using a large value will increase the number of supported temporary connections, thus reducing the number of connection failures. Large listening queues can also help prevent DDoS attacks. The maximum number of pending requests is 128 by default.

4. net. core. wmem_default = 8388608

This parameter specifies the default value of the buffer size of the sending socket (in bytes)

5. net. core. rmem_default = 8388608

This parameter specifies the default value of the buffer size of the receiving socket (in bytes)

6. net. core. rmem_max = 16777216

This parameter specifies the maximum buffer size of the receiving socket (in bytes)

7.. net. core. wmem_max = 16777216

This parameter specifies the maximum buffer size of the sending socket (in bytes)

8. net. ipv4.tcp _ timestamps = 0

Timestamps can guard against forged sequence numbers. A 1G broadband line may re-encounter an old sequence number with an out-of-line value (if it was generated last time ). The timestamp allows the kernel to accept such "abnormal" packets. Disable it to improve performance.

9. net. ipv4.tcp _ synack_retries = 2

For the remote connection request SYN, the kernel sends the SYN + ACK datagram to confirm receipt of the previous SYN connection request packet. This is the second step of the so-called threeway handshake mechanism. The number of SYN + ACK sent by the kernel before the connection is abandoned. It should not be greater than 255. the default value is 5, corresponding to the left-right time of 180 seconds. (This value can be determined based on tcp_syn_retries)

10. net. ipv4.tcp _ syn_retries = 2

For a new connection, the kernel determines how many SYN connection requests are sent before giving up. It should not be greater than 255. the default value is 5, corresponding to the left-right time of 180 seconds. (For a network with high load and good physical communication, this value is too high and can be changed to 2. this value is only for external connections. the incoming connections are determined by tcp_retries1)

11. net. ipv4.tcp _ tw_recycle = 1

Enables fast recovery of TIME-WAIT Sockets in TCP connections. the default value is 0, indicating that TIME-WAIT Sockets is disabled.

# Net. ipv4.tcp _ tw_len = 1

12. net. ipv4.tcp _ tw_reuse = 1

Indicates that reuse is enabled, and TIME-WAIT Sockets can be re-used for new TCP connections. the default value is 0, indicating that reuse is disabled. This is helpful for restarting some services quickly and prompting that the port has been used after startup.

13. net. ipv4.tcp _ mem = 94500000 915000000 927000000

Tcp_mem has three INTEGER variables: low, pressure, and high.

Low: When TCP uses the number of memory pages lower than this value, TCP has no memory pressure and does not consider releasing the memory. (Ideally, this value should match the 2nd values specified to tcp_wmem. The 2nd values indicate that the maximum page size multiplied by the maximum number of concurrent requests divided by the page size (131072*300/4096)

Pressure: When TCP uses the number of memory pages that exceed this value, TCP tries to stabilize its memory usage and enters the pressure mode. when the memory consumption is lower than the low value, it exits the pressure state. (Ideally, this value should be the maximum buffer size that can be used by TCP (204800*300/4096)

High: the number of pages that allow all TCP Sockets to be used for queuing and buffering data packets. If this value is exceeded, the TCP connection will be rejected, which is why it should not be too conservative (512000*300/4096. In this case, it provides a great deal of value. it can process many connections, which is 2.5 times as expected; or it can make existing connections transmit 2.5 times of data.

Generally, these values are calculated based on the number of system memory at system startup.

14. net. ipv4.tcp _ max_orphans = 3276800

The maximum number of TCP sockets that the system can process for any process. What if the number is exceeded? Connections that do not belong to any process will be immediately reset and a warning will be displayed. Is this restriction set? Simply to defend against those simple DoS attacks? Never rely on this or manually reduce this restriction.

# Net. ipv4.tcp _ fin_timeout = 30

# Net. ipv4.tcp _ keepalive_time = 120

15. net. ipv4.ip _ local_port_range = 1024 65535

Set the local port range to 1024 ~ Between 65000

16. net. ipv4.ip _ conntrack_max = 10000

Set the system's limit on the maximum number of TCP connections to be tracked (CentOS 5.6 does not have this parameter)