possible SYN flooding on port 80. Sending cookies

开了syncookie之后经常会看到这个报警信息“possible SYN flooding on port 80. Sending cookies”

首先我们看看sysctl.txt对syncookie选项的注释：

tcp_syncookies - BOOLEAN
        Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
        Send out syncookies when the syn backlog queue of a socket
        overflows. This is to prevent against the common ’syn flood attack’
        Default: FALSE

        Note, that syncookies is fallback facility.
        It MUST NOT be used to help highly loaded servers to stand
        against legal connection rate. If you see synflood warnings
        in your logs, but investigation shows that they occur
        because of overload with legal connections, you should tune
        another parameters until this warning disappear.
        See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

如果系统资源还没问题的话，应该多数不是受到syn flood，而是并发连接过多。

上面的说明建议我们修改tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

net.ipv4.tcp_max_syn_backlog = 20480
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.core.netdev_max_backlog = 1000

net.core.netdev_max_backlog = 300000 # number of unprocessed input packets before kernel starts dropping them, default 300

tcp_max_syn_backlog - INTEGER
        Maximal number of remembered connection requests, which are
        still did not receive an acknowledgment from connecting client.
        Default value is 1024 for systems with more than 128Mb of memory,
        and 128 for low memory machines. If server suffers of overload,
        try to increase this number.

tcp_abort_on_overflow - BOOLEAN
        If listening service is too slow to accept new connections,
        reset them. Default state is FALSE. It means that if overflow
        occurred due to a burst, connection will recover. Enable this
        option _only_ if you are really sure that listening daemon
        cannot be tuned to accept connections faster. Enabling this
        option can harm clients of your server. 这个我们还是别设置了。

最后，设置了net.ipv4.tcp_max_syn_backlog = 819200之后，没有报那个syncookie警告了。

相关文章：

1. Filtered: NMAP Port Scanner Sees Through IPtables Firewall
2. Netfilter conntrack performance tweaking
3. linux kernel 2.6.27针对/dev/mem的一个新选项
4. PatchQuest启动tip
5. The Static Analysis Market and You