Shulou(Shulou.com)06/01 Report--

TCP SYN Flood is a common and effective remote (remote) denial of service (Denial of Service). It destroys the TCP three-way handshake to establish a normal connection through certain operations, occupies and consumes system resources, and makes the host system providing TCP services unable to work properly.

First, how to judge

1. The server cannot provide normal TCP service. The connection request was rejected or timed out.

2. Check the system through netstat-n | awk'/ ^ tcp/ {+ + S [$NF]} END {for (an in S) print a, S [a]} 'command, and find that there are a large number of SYN_RECV connection status.

Check the server link, the number of SYN_RECV is abnormal, access to the server web page is very slow, or even timeout, so the basic decision is SYN_RECV***.

II. Solutions

1. Increase the maximum length of the unfinished connection queue (Q0).

Echo1280 > / proc/sys/net/ipv4/tcp_max_syn_backlog

2, start SYN_cookie.

Echo 1 > / proc/sys/net/ipv4/tcp_syncookies

These are passive methods that address the symptoms rather than the root causes. And increase the burden on the server, but avoid being rejected (just slow down)

The solution to the root of the problem is to tamper with the firewall. But now firewalls that can protect against syn flood*** to some extent are not cheap. And add this command to the "/ etc/rc.d/rc.local" file

If you explain the configuration file under / proc/sys/net/ipv4, you can refer to the LinuxAid technology station article. You can also refer to the full text of this article.

For syn cookies, see http://cr.yp.to/syncookies.html

It may also be helpful to use mod_limitipconn.c to limit the number of concurrency of apache.

2. Iptables settings, quoted from CU

Prevent synchronous packet flooding (Sync Flood)

# iptables-A FORWARD-p tcp-- syn-m limit-- limit1/s-j ACCEPT

Some people write.

# iptables-An INPUT-p tcp-- syn-m limit-- limit 1/s-j ACCEPT

-- limit 1max s limits the number of syn concurrency once per second, which can be modified according to your own needs

Prevent various port scans

# iptables-A FORWARD-p tcp--tcp-flagsSYN,ACK,FIN,RST RST-m limit-- limit 1max s-j ACCEPT

Ping Flood * * (Ping of Death)

# iptables-A FORWARD-p icmp--icmp-type echo-request-m limit-limit 1max s-j ACCEPT

From Baidu encyclopedia

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.