详解Linux系统如何防止TCP洪水攻击
<div class="jb51code"><div>
<div class="syntaxhighlighterbash" id="highlighter_366140">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash comments">#最关键参数,默认为5,修改为0 表示不要重发</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">net.ipv4.tcp_synack_retries = 0</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash comments">#半连接队列长度</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">net.ipv4.tcp_max_syn_backlog = 200000</code>
</div>
<div class="line number5 index4 alt2">
</div>
<div class="line number6 index5 alt1">
<code class="bash comments">#系统允许的文件句柄的最大数目,因为连接需要占用文件句柄</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash plain">fs.</code><code class="bash functions">file</code><code class="bash plain">-max = 819200</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash comments">#用来应对突发的大并发connect 请求</code>
</div>
<div class="line number9 index8 alt2">
<code class="bash plain">net.core.somaxconn = 65536</code>
</div>
<div class="line number10 index9 alt1">
<code class="bash comments">#最大的TCP 数据接收缓冲(字节)</code>
</div>
<div class="line number11 index10 alt2">
<code class="bash plain">net.core.rmem_max = 1024123000</code>
</div>
<div class="line number12 index11 alt1">
</div>
<div class="line number13 index12 alt2">
<code class="bash comments">#最大的TCP 数据发送缓冲(字节)</code>
</div>
<div class="line number14 index13 alt1">
<code class="bash plain">net.core.wmem_max = 16777216</code>
</div>
<div class="line number15 index14 alt2">
<code class="bash comments">#网络设备接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目</code>
</div>
<div class="line number16 index15 alt1">
<code class="bash plain">net.core.netdev_max_backlog = 165536</code>
</div>
<div class="line number17 index16 alt2">
<code class="bash comments">#本机主动连接其他机器时的端口分配范围</code>
</div>
<div class="line number18 index17 alt1">
<code class="bash plain">net.ipv4.ip_local_port_range = 10000 65535</code>
</div>
<div class="line number19 index18 alt2">
</div>
<div class="line number20 index19 alt1">
<code class="bash comments"># ……省略其它……</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
注意,以下参数面对外网时,不要打开。因为副作用很明显,具体原因请google,如果已打开请显式改为0,然后执行sysctl -p关闭。因为经过试验,大量TIME_WAIT状态的连接对系统没太大影响:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_881353">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash comments">#当出现 半连接 队列溢出时向对方发送syncookies,调大 半连接 队列后没必要</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">net.ipv4.tcp_syncookies = 0</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash comments">#TIME_WAIT状态的连接重用功能</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">net.ipv4.tcp_tw_reuse = 0</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash comments">#时间戳选项,与前面net.ipv4.tcp_tw_reuse参数配合</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">net.ipv4.tcp_timestamps = 0</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash comments">#TIME_WAIT状态的连接回收功能</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash plain">net.ipv4.tcp_tw_recycle = 0</code>
</div>
<div class="line number9 index8 alt2">
<code class="bash comments">#当出现 半连接 队列溢出时向对方发送syncookies,调大 半连接 队列后没必要</code>
</div>
<div class="line number10 index9 alt1">
<code class="bash plain">net.ipv4.tcp_syncookies = 0</code>
</div>
<div class="line number11 index10 alt2">
<code class="bash comments">#TIME_WAIT状态的连接重用功能</code>
</div>
<div class="line number12 index11 alt1">
<code class="bash plain">net.ipv4.tcp_tw_reuse = 0</code>
</div>
<div class="line number13 index12 alt2">
<code class="bash comments">#时间戳选项,与前面net.ipv4.tcp_tw_reuse参数配合</code>
</div>
<div class="line number14 index13 alt1">
<code class="bash plain">net.ipv4.tcp_timestamps = 0</code>
</div>
<div class="line number15 index14 alt2">
<code class="bash comments">#TIME_WAIT状态的连接回收功能</code>
</div>
<div class="line number16 index15 alt1">
<code class="bash plain">net.ipv4.tcp_tw_recycle = 0</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
为了处理大量连接,还需改大另一个参数:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_474760">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash comments"># vi /etc/security/limits.conf</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
在底下添加一行表示允许每个用户都最大可打开409600个文件句柄(包括连接):</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterplain" id="highlighter_622804">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="plain plain">* – nofile 409600</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持。</p>
<p>
原文链接:https://segmentfault.com/a/1190000009472135?utm_source=tuicool&utm_medium=referral</p>
頁:
[1]