本文共 2095 字,大约阅读时间需要 6 分钟。
possible SYN flooding on port 3690. Sending cookies 开了syncookie之后经常会看到这个报警信息“possible SYN flooding on port 3690. Sending cookies”
首先我们看看sysctl.txt对syncookie选项的注释: tcp_syncookies - BOOLEAN Only valid when the kernel was compiled with CONFIG_SYNCOOKIES Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common ’syn flood attack’ Default: FALSE Note, that syncookies is fallback facility. It MUST NOT be used to help highly loaded servers to stand against legal connection rate. If you see synflood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. 如果系统资源还没问题的话,应该多数不是受到syn flood,而是并发连接过多。 上面的说明建议我们修改tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. net.ipv4.tcp_max_syn_backlog = 20480 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.core.netdev_max_backlog = 1000 net.core.netdev_max_backlog = 300000 # number of unprocessed input packets before kernel starts dropping them, default 300 tcp_max_syn_backlog - INTEGER Maximal number of remembered connection requests, which are still did not receive an acknowledgment from connecting client. Default value is 1024 for systems with more than 128Mb of memory, and 128 for low memory machines. If server suffers of overload, try to increase this number. tcp_abort_on_overflow - BOOLEAN If listening service is too slow to accept new connections, reset them. Default state is FALSE. It means that if overflow occurred due to a burst, connection will recover. Enable this option _only_ if you are really sure that listening daemon cannot be tuned to accept connections faster. Enabling this option can harm clients of your server. 这个我们还是别设置了。 最后,设置了net.ipv4.tcp_max_syn_backlog = 819200之后,没有报那个syncookie警告了。/proc/sys/net/ipv4/tcp_max_syn_backlog