possible SYN flooding on port 3690 Sending cookies-阿里云开发者社区

开发者社区> 云计算> 正文
登录阅读全文

possible SYN flooding on port 3690 Sending cookies

简介:

possible SYN flooding on port 3690. Sending cookies(转)

possible SYN flooding on port 3690. Sending cookies 开了syncookie之后经常会看到这个报警信息“possible SYN flooding on port 3690. Sending cookies”

首先我们看看sysctl.txt对syncookie选项的注释:

tcp_syncookies - BOOLEAN
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
Send out syncookies when the syn backlog queue of a socket
overflows. This is to prevent against the common ’syn flood attack’
Default: FALSE

Note, that syncookies is fallback facility.
It MUST NOT be used to help highly loaded servers to stand
against legal connection rate. If you see synflood warnings
in your logs, but investigation shows that they occur
because of overload with legal connections, you should tune
another parameters until this warning disappear.
See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

如果系统资源还没问题的话,应该多数不是受到syn flood,而是并发连接过多。

上面的说明建议我们修改tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

net.ipv4.tcp_max_syn_backlog = 20480
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.core.netdev_max_backlog = 1000

net.core.netdev_max_backlog = 300000 # number of unprocessed input packets before kernel starts dropping them, default 300

tcp_max_syn_backlog - INTEGER
Maximal number of remembered connection requests, which are
still did not receive an acknowledgment from connecting client.
Default value is 1024 for systems with more than 128Mb of memory,
and 128 for low memory machines. If server suffers of overload,
try to increase this number.

tcp_abort_on_overflow - BOOLEAN
If listening service is too slow to accept new connections,
reset them. Default state is FALSE. It means that if overflow
occurred due to a burst, connection will recover. Enable this
option _only_ if you are really sure that listening daemon
cannot be tuned to accept connections faster. Enabling this
option can harm clients of your server. 这个我们还是别设置了。

最后,设置了net.ipv4.tcp_max_syn_backlog = 819200之后,没有报那个syncookie警告了。

/proc/sys/net/ipv4/tcp_max_syn_backlog










本文转自 南非波波 51CTO博客,原文链接:http://blog.51cto.com/nanfeibobo/1719323,如需转载请自行联系原作者

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

分享: