http://baheyeldin.com/technology/linux/detecting-and-preventing-syn-flood-attacks-web-servers-running-linux.html
Diagnosis
Then when you look at netstat's output, you find that there are lots of connections in the SYN_RECV state:
netstat -tuna | grep :80 | grep SYN_RECV
The output will look like this:
tcp 0 0 1.1.1.1:80 70.56.83.204:1609 SYN_RECV tcp 0 0 1.1.1.1:80 2.2.2.2:1723 SYN_RECV tcp 0 0 1.1.1.1:80 209.112.192.126:4988 SYN_RECV tcp 0 0 1.1.1.1:80 2.2.2.2:1724 SYN_RECV tcp 0 0 1.1.1.1:80 2.2.2.2:1727 SYN_RECV tcp 0 0 1.1.1.1:80 2.2.2.2:1733 SYN_RECV tcp 0 0 1.1.1.1:80 24.158.121.0:3337 SYN_RECV tcp 0 0 1.1.1.1:80 2.2.2.2:1753 SYN_RECV tcp 0 0 1.1.1.1:80 2.2.2.2:1811 SYN_RECV tcp 0 0 1.1.1.1:80 2.2.2.2:1821 SYN_RECV tcp 0 0 1.1.1.1:80 2.2.2.2:1831 SYN_RECV tcp 0 0 1.1.1.1:80 24.7.27.61:52142 SYN_RECV tcp 0 0 1.1.1.1:80 207.118.0.58:50819 SYN_RECV tcp 0 0 1.1.1.1:80 115.64.40.38:52865 SYN_RECV
You will see a lot of SYN requests from the same addresses. Do not bother with tracing what this address is, because it is easily faked, and the attacker is probably using fake addresses.
Solution
So, how do you solve this?
The solution varies, but the best one is to enable SYN cookies on your load balancer or the server itself.
To enable that on a current Linux kernel, you enter the following command:
sysctl -w net.ipv4.tcp_syncookies=1
And then add the following line to the /etc/sysctl.conf file to make make it persist across reboots:
net.ipv4.tcp_syncookies = 1
You may optionally want to increase the size of the SYN backlog queue as well, from a default of 1024, to 2048, using the following command:
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
And you add this to /etc/sysctl.conf:
net.ipv4.tcp_max_syn_backlog = 2048
==================================================================
http://tech.uc.cn/?p=1790
tcp_synack_retries = 0是关键,表示回应第二个握手包(SYN+ACK包)给客户端IP后,如果收不到第三次握手包(ACK包)后,不进行重试,加快回收“半连接”,不要耗光资源。
sysctl -w net.core.somaxconn = 2048
修改这个参数为0的副作用:网络状况很差时,如果对方没收到第二个握手包,可能连接服务器失败.根据以前的抓包经验,这种情况很少,但为了保险起见,可以只在被tcp洪水攻击时临时启用这个参数。之所以可以把tcp_synack_retries改为0,因为客户端还有tcp_syn_retries参数,默认是5,即使服务器端没有重发SYN+ACK包,客户端也会重发SYN握手包。
# vi /etc/sysctl.conf
使配置生效:
# sysctl -p
==============================
http://rhomobi.com/topics/47
二、然后是SYN-ACK重传:当server向client发送syn+ack没有收到相应,server将重传,然后再重传。。。控制这个重传次数的参数是
tcp_synack_retries
对应文件(/proc/sys/net/ipv4/tcp_synack_retries )默认值是5,对应于180秒左右时间
1 [root@web ~]# cat /proc/sys/net/ipv4/tcp_synack_retries
2 5
关于tcp_synack_retries的英文解释:
The maximum number of times a SYN/ACK segment for a passive TCP connection will be retransmitted. This number should not be higher than 255. The default value is 5.
备注:与此相对应的client的参数是:
tcp_syn_retries
The maximum number of times initial SYNs for an active TCP connection attempt will be retransmitted. This value should not be higher than 255. The default value is 5, which corresponds to approximately 180 seconds.
典型syn_recv故障处理
如果服务器syn_recv的条数过多,可以采取的操作是:
减少server==>client重传syn+ack的次数。
加大syn队列长度,防止无法响应新的连接
1 echo "net.ipv4.tcp_max_syn_backlog = 4096" >>/etc/sysctl.conf
2 echo "net.ipv4.tcp_synack_retries = 1" >>/etc/sysctl.conf
3 sysctl -p
当受到syn攻击的时候,启用syn-cookie(默认启用,在/etc/sysctl.conf里本身就有参数配置)
1 echo 1 >/proc/sys/net/ipv4/tcp_syncookies
TCP四次挥手
下面说tcp/ip的第四次握手,分析主动关闭和被动关闭两种。
A:因为如果是CLIENT端主动断掉当前连接,那么双方关闭这个TCP连接共需要四个packet:
setup
Client ---> FIN(M) ---> Server
client发送一个FIN给server,(说它不跟你玩了),client由ESTABLISHED->FIN_WAIT1
Client <--- ACK(M+1) <--- Server
SER VER收到fin后发送ack确认(拿出两人信物),状态由ESTABLISHED->close_wait
client收到server的ack确认,只是改变状态ESTABLISHED->FIN_WAIT1->FIN_WAIT2,继续等server发送数据。
Client <-- FIN(N) <-- Server
server继续发送FIN到client(好就不玩了吧),状态ESTABLISHED->close_wait->LAST_ACK,等待client发送ack做最后的确认
Client --> ACK(N+1) --> Server
client收到FIN,马上发送ack确认,状态ESTABLISHED->FIN_WAIT1->FIN_WAIT2->TIME_WAIT[2MSL超时]->closed
server收到ack确认,状态ESTABLISHED->close_wait->LAST_ACK->CLOSED.
[root@ngx32 ~]# sysctl -a|grep tcp_keepalive
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_time = 30
连接两端一直没发送数据,间隔半分钟,后开始第一次探测,间隔75秒后第二次探测,探测9次,最后放弃连接。
===================================
http://pesen.blog.51cto.com/4575807/1137946
默认的sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1 # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 # Controls the default maxmimum size of a mesage queue kernel.msgmnb = 65536 # Controls the maximum size of a message, in bytes kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296 net.ipv4.tcp_max_syn_backlog = 8192 net.core.somaxconn = 8192 net.core.netdev_max_backlog = 165536
高并发的配置
# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1 # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 # Controls the default maxmimum size of a mesage queue kernel.msgmnb = 65536 # Controls the maximum size of a message, in bytes kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296 net.core.rmem_max=33554432 net.core.wmem_max=33554432 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_max_syn_backlog = 8192 net.core.netdev_max_backlog = 655350 net.core.somaxconn = 655350 net.core.rmem_max = 67108864 net.core.wmem_max = 67108864 net.ipv4.tcp_mem = 3097431 4129911 6194862 net.ipv4.tcp_rmem = 4096 87380 67108864 net.ipv4.tcp_wmem = 4096 65536 67108864 net.ipv4.tcp_fin_timeout = 5 net.ipv4.tcp_keepalive_time = 15 net.ipv4.ip_local_port_range = 1024 65535 net.ipv4.tcp_slow_start_after_idle = 0 #net.netfilter.nf_conntrack_max = 131070 #net.nf_conntrack_max = 655350 #net.netfilter.nf_conntrack_tcp_timeout_established = 100000 fs.file-max = 655350
浙公网安备 33010602011771号