tcp_max_orphans

/proc/sys/net/ipv4/tcp_max_orphans

系统所能处理不属于任何进程的TCP sockets最大数量。假如超过这个数量，那么不属于任何进程的连接会被立即reset，并同时显示警告信息。之所以要设定这个限制﹐纯粹为了抵御那些简单的 DoS 攻击﹐千万不要依赖这个或是人为的降低这个限制，更应该增加这个值(如果增加了内存之后)。每个孤儿套接字最多能够吃掉你64K不可交换的内存。

Maximal number of TCP sockets not attached to any user file handle, held by system. If this number is exceeded orphaned connections are reset immediately and warning is printed. This limit exists only to prevent simple DoS attacks, you must not rely on this or lower the limit artificially, but rather increase it (probably, after increasing installed memory), if network conditions require more than default value, and tune network services to linger and kill such states more aggressively. Let me to remind again: each orphan eats up to ~64 KB of unswappable memory.

/proc/sys/net/ipv4/tcp_orphan_retries

本端试图关闭TCP连接之前重试多少次。缺省值是7，相当于50秒~16分钟(取决于RTO)。如果你的机器是一个重载的WEB服务器，你应该考虑减低这个值，因为这样的套接字会消耗很多重要的资源。参见tcp_max_orphans。

How may times to retry before killing TCP connection, closed by our side. Default value 7 corresponds to  50sec-16min depending on RTO. If your machine is a loaded WEB server, you should think about lowering this value, such sockets may consume significant resources. Cf. tcp_max_orphans

源码

static int tcp_out_of_resources(struct sock *sk, int do_reset)

{

struct tcp_sock *tp = tcp_sk(sk);

int orphans = atomic_read(&tcp_orphan_count);

/* If peer does not open window for long time, or did not transmit

* anything for long time, penalize it. */

if ((s32)(tcp_time_stamp - tp->lsndtime) > 2*TCP_RTO_MAX || !do_reset)

orphans <<= 1;

/* If some dubious ICMP arrived, penalize even more. */

if (sk->sk_err_soft)

orphans <<= 1;

if (tcp_too_many_orphans(sk, orphans)) {

if (net_ratelimit())

printk(KERN_INFO "Out of socket memory\n");

/* Catch exceptional cases, when connection requires reset.

* 1. Last segment was sent recently. */

if ((s32)(tcp_time_stamp - tp->lsndtime) <= TCP_TIMEWAIT_LEN ||

/* 2. Window is closed. */

(!tp->snd_wnd && !tp->packets_out))

do_reset = 1;

if (do_reset)

tcp_send_active_reset(sk, GFP_ATOMIC);

tcp_done(sk);

NET_INC_STATS_BH(LINUX_MIB_TCPABORTONMEMORY);

return 1;

}

}

return 0;

}

[1]http://blog.chinaunix.net/uid-24237502-id-3014152.html

[2]http://www.blogjava.net/fine/archive/2008/07/26/217709.html

[3]http://www.linuxinsight.com/proc_sys_net_ipv4_tcp_max_orphans.html

[4]http://pastebin.com/fZNh3LJf

[5]http://lartc.org/howto/lartc.kernel.obscure.html

[6]http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/tcpvariables.html

[7]http://hi.baidu.com/lewutian/item/d51143fbaa226aed1a111fcd