possible SYN flooding on port 3690. Sending cookies(转)
possible SYN flooding on port 3690. Sending cookies 开了syncookie之后经常会看到这个报警信息“possible SYN flooding on port 3690. Sending cookies”
首先我们看看sysctl.txt对syncookie选项的注释:
tcp_syncookies - BOOLEAN
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
Send out syncookies when the syn backlog queue of a socket
overflows. This is to prevent against the common ’syn flood attack’
Default: FALSE
Note, that syncookies is fallback facility.
It MUST NOT be used to help highly loaded servers to stand
against legal connection rate. If you see synflood warnings
in your logs, but investigation shows that they occur
because of overload with legal connections, you should tune
another parameters until this warning disappear.
See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
如果系统资源还没问题的话,应该多数不是受到syn flood,而是并发连接过多。
上面的说明建议我们修改tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
net.ipv4.tcp_max_syn_backlog = 20480
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.core.netdev_max_backlog = 1000
net.core.netdev_max_backlog = 300000 # number of unprocessed input packets before kernel starts dropping them, default 300
tcp_max_syn_backlog - INTEGER
Maximal number of remembered connection requests, which are
still did not receive an acknowledgment from connecting client.
Default value is 1024 for systems with more than 128Mb of memory,
and 128 for low memory machines. If server suffers of overload,
try to increase this number.
tcp_abort_on_overflow - BOOLEAN
If listening service is too slow to accept new connections,
reset them. Default state is FALSE. It means that if overflow
occurred due to a burst, connection will recover. Enable this
option _only_ if you are really sure that listening daemon
cannot be tuned to accept connections faster. Enabling this
option can harm clients of your server. 这个我们还是别设置了。
最后,设置了net.ipv4.tcp_max_syn_backlog = 819200之后,没有报那个syncookie警告了。
/proc/sys/net/ipv4/tcp_max_syn_backlog
