When a web page is paged to a specific page, the connection to the server 80 port is aborted. Viewed NetStat -anlp found that there is a record similar to the following, and IP is mine.
TCP 0 2560 61.152.251.68:80 60.26.156.241:1523 SYN_RECV -
Because it may be a problem problem, this problem occurs only when browsing this page, but still sew several syn_recv occasionally in NetStat, so on Google, here, here.
1. If you suspect that the SYN_RECV is suspected, it is SYN FLOOD attack.
This attack is as follows:
1. Increase the maximum length that does not complete the connection queue (Q0).
Echo 1280> / proc / sys / net / ipv4 / tcp_max_syn_backlog
2, start SYN_COOKIE.
Echo 1> / Proc / Sys / Net / IPv4 / TCP_Syncookies
These are passive methods, and the standard is not true. And increase the burden of the server, but can avoid being rejected (just slow)
The method of cure is to do hand feet on the firewall. But now you can prevent the firewall that prevents Syn Flood attacks to a certain extent. And add this command to the "/etc/rc.d/rc.local" file
If you explain the configuration files under / proc / sys / net / ipv4, please refer to
Linuxaid technology station articles. View these texts can also be found.
For SYN Cookies, see
<
> http://cr.yp.to/syncookies.html
Maybe
Use mod_limitipconn.c to limit Apache and have a certain help.
In the end, only this parameter is modified, but also adds IPTables firewall rules, and solve the problem.
2. What is TCP SYN FLOOD attack? Posted: Tuesday, 15 June 2004 @ 01:36:47 Taipei standard time TCP SYN FLOOD is a common, effective distal (remote) denial of service (Denial of Service) attack Method, it has created normal connection, occupying and consuming system resources through certain operations, occupying and consuming system resources, making the host system providing TCP services not working properly. Since TCP Syn Flood is attacking server Server through the network, it can be identified at any of its own network IP address, which is not identified by other devices on the Internet, which gives the anti-network criminal department to investigate crimes. Source has caused great difficulties. This kind of attack is not uncommon in the domestic and foreign website. On a auction site, criminals have used this means that other users from continuing to continue the auction of goods and interfering the auction process at a low price.
System Check In general, some simple steps can be checked to determine if the system is being attacked by TCP SYN FLOOD.
1. The server cannot provide normal TCP services. Connection request is rejected or timeout. 2. Check the system through the netstat -an command, find a large number of SYN_RECV connection status.
3. IPTables set, reference from CU
Prevent Synchronous Package (SYNC FLOOD)
# iptables -a forward -p tcp --syn -m limited --LIMIT 1 / S -J Accept
Someone writing
#iptables -ainput -p tcp --syn -m limited --LIMIT 1 / S -J ACCEPT
--LIMIT 1 / S limit SYN and raised once a second, you can modify it according to your needs
Prevent a variety of port scans
# iptables -a forward -p tcp --TCP-FLAGS SYN, ACK, FIN, RST RST -M LIMIT --LIMIT 1 / S -J AcceptPing Flood Attack (PING OF DEATH)
# iptables -a forward -p ICMP --ICMP-TYPE ECHO-Request -m Limit --Limit 1 / S -J ACCEPT
Attachment:
Iptables Guide 1.1.19
Firewall example:
Use iptables commands on Linux to create a personal firewall
See:
PROC file system face
Http://www.linuxaid.com.cn 02-01-16 21:34 5467P Ideal ----------------------------- -----------------------------------------
What is a PROC file system
The PROC file system is a pseudo file system that exists only in memory without occupying an existing space. It provides an interface to the operation of accessing system kernel data in a file system. Users and applications can get the system information through Proc, and can change certain parameters of the kernel. Due to the information of the system, if the process is dynamically changed, the Proc file system is dynamically read out the required information from the system, and submitted by the user or the application reads the proc file. Its directory structure is as follows:
Directory Name Directory Content APM Advanced Power Management Information CMDLINE Cycle CPUInfo About CPU Information Devices You can use the device (block device / character device) DMA used DMA channel FileSystems supported file system Interrupts Interrupt using IOPORTS I / O port Using KCORE kernel core Impression KMSG kernel message KSYMS kernel symbol table loadavg load balancing LOCKS kernel lock MEMINFO memory information MISC Miscellaneous MODULES List Mounts Loaded file system Partitions system identification partition table RTC real-time clock SLABINFO SLAB pool information Stat comprehensive statistics table SWAPS Swap Space Utilization Version Nuclear Version Uptime System Normal Run Time
Not all of these directories are in your system, depending on your kernel configuration and load module. In addition, there are three important directories under / proc: NET, SCSI and SYS. The SYS directory is writable and can be used to access or modify the kernel parameters (see section), and NET and SCSI rely on kernel configuration. For example, if the system does not support SCSI, the SCSI directory does not exist.
In addition to these described above, there are some directory named, which are processes. Each process currently run in the system has a corresponding directory under / proc, with a directory name, which is an interface to read the process information. The SELF directory is the information interface that reads the process itself, is a LINK. The name of the PROC file system is from it. The structure of the process directory is as follows:
Directory Name Directory Content CMDLINE Command Line Parameters Environment Environment Variable Value FD A Directory Memem for all file descriptors The memory Memem process is utilized STAT process status status process current state, displaying the CWD Current Work Directory Link EXE Point to the process of execution command file MAPS memory image Statm process memory status information root link This process root directory
Users can use the CAT command if you want to view system information. E.g:
# Cat / Proc / Interrupts CPU0 0: 8728810 XT-PIC Timer 1: 895 XT-Pic Keyboard 2: 0 XT-Pic Cascade 3: 531695 XT-PIC AHA152X 4: 2014133 XT-PIC Serial 5: 44401 XT-PIC PCNET_CS 8 : 2 XT-PIC RTC 11: 8 XT-PIC I82365 12: 182918 XT-PIC Mouse 13: 1 XT-PIC FPU PS / 2 14: 1232265 XT-PIC IDE0 15: 7 XT-PIC IDE1 NMI: 0 users can Implement the modified kernel parameters. There is an interesting directory in the / proc file system: / proc / sys. It not only provides kernel information, but also modifies the kernel parameters to optimize your system. But you have to be very careful because it may cause the system to crash. It is best to find an irrelevant machine, and then apply it to your system after debugging.
To change the parameters of the kernel, just redirect to the file with VI editing or ECHO parameter. Here's an example:
# cat / proc / sys / fs / file-max 4096 # echo 8192> / proc / sys / fs / file-max # cat / proc / sys / fs / file-max 8192
If you optimize parameters, you can write them into file RC.Local so that it automatically completes modifications when the system starts.
/ PROC file system network parameters
In / proc / sys / net / ipv4 / directory, all parameters related to TCP / IP protocols, the following we are explained in detail below.
IP_forward Parameter Type: Boolean0 - Off (Default) Not 0 - Open IP Forward
Forward datagrams between network local interfaces. This parameter is very special, and the modification of this parameter will cause other relevant configuration parameters to restore its default values (see RFC 1122 for hosts, see RFC1812 for routers)
IP_DEFAULT_TTL Parameter Type: Integer default is 64. Indicates the TIME to Live value of the IP datagram.
IP_NO_PMTU_DISC Parameter Type: Boolean Close Path MTU Detection, Default is false
IPFrag_high_thresh Parameter Type: Integer for assembling the maximum amount of memory for the segmentation IP package. When the number of memory numb_high_thresh is assigned to assemble the IP package, the IP slice processor will discard the data to the number of ipfrag_low_thresh's number of memory is used to assemble the IP package.
IPFRAG_LOW_THRESH Parameter Type: Confusion See IPFrag_High_thresh.
IPFRAG_TIME Parameter Type: Integer Save an IP slice in memory.
INET_PEER_THRESHOLD Parameter Type: Integer INET peer memory a suitable value, when the threshold entry will be discarded. The valve value also determines the time interval of the spending time and the time of waste collection. The more entries, the lower the survival period, the shorter the GC interval.
INET_PEER_MINTTL Parameter Type: The minimum survival of the integer entry. There must be enough fragmentation in the restructuring end. This minimum survival must ensure that the buffer pool volume is less than INET_PEER_THRESHOLD. This value is measured in jiffies.
INET_PEER_MAXTTL Parameter Type: The maximum survival of integer entries. After this period arrives, if the buffer pool does not deplete the pressure (for example, the number of entries in the buffer pool is very small), the unused entries will time out. This value is measured in jiffies.
INET_PEER_GC_MINTIME Parameter Type: The shortest interval of integer waste collection (GC). This interval affects the high pressure in the buffer pool. This value is measured in jiffies.
INET_PEER_GC_MAXTIME Parameter Type: Integer Waste Collection (GC) The maximum interval is passed, which affects the low pressure in the buffer pool. This value is measured in jiffies.
TCP_SYN_RETRIES Parameter Type: Integer for a new connection, how many SYN connection requests to send in the kernel are decided to give up. Should not be greater than 255, the default is 5, corresponding to around 180 seconds.
TCP_SYNACK_RETRIES Parameter Type: Integer for the remote connection request SYN, the kernel sends the SYN ACK datagram to confirm that the last SYN connection request package is received. This is the second step of the so-called Threeway Handshake mechanism. Here, the number of SYN ACK sent before the kernel is given to the connection.
TCP_KEEPALIVE_TIME Parameter Type: Integer When Keepalive is open, the TCP sends the frequency of the Keepalive message, the default value is 2 hours.
TCP_KEEPALIVE_PROBES Parameter Type: Integer TCP Send Keepalive Detection to determine the number of times the connection has been disconnected, the default value is 9.
TCP_KEEPALIVE_INTERVAL parameter type: Integer detection message sent frequently, multiplying TCP_Keepalive_Probes to get the time for connection kills from starting detection. The default is 75 seconds, that is, the connection without the active connection will be discarded after approximately 11 minutes.
TCP_RETRIES1 Parameter Type: How many times need to be retryed before this suspicious condition must be reported to the network layer when there is suspicious condition. The lowest RFC value is 3, which is also the default value, depending on the value of the RTO, between 3 seconds - 8 minutes.
TCP_RETRIES2 Parameter Type: How many times need to do before discarding the activated TCP connection. RFC 1122 specifies that this value must be greater than 100 seconds. The default is 15, according to the value of RTO, it is equivalent to 13-30 minutes,
TCP_ORPHAN_RETRIES Parameter Type: How many times before the integer is discarded at the proximal end of the TCP connection. The default is 7, equivalent to 50 seconds - 16 minutes, depending on the RTO. If your system is a very loaded web server, then you may need to reduce this value, which may consume a lot of resources. Also ginseng TCP_MAX_ORPHANS.
TCP_FIN_TIMEOUT Parameter Type: Integer for the Socket connection disconnected on this end, TCP remains in the Fin-Wait-2 state. The other party may disconnect or have never ended the connection or unpredictable process death. The default is 60 seconds. The kernel in the past 2.2 version was 180 seconds. You can set this value, but you need to pay attention, if your machine is a very heavy web server, you may have to take a lot of risk to be filled with a large amount of invalid data, the danger of Fin-Wait-2 Sockets is lower than the fin- Wait-1, because they only eat 1.5k memory, but they have longer time. Also refer to TCP_MAX_ORPHANS.
TCP_MAX_TW_BUCKETS Parameter Type: The maximum number of TIMEWAIT SOCKETSs handled at the same time. If you exceed this, the Time-Wait Socket will be cut immediately and display a warning message. The reason why it is necessary to set this restriction, purely to resist those simple DOS attacks, don't artifact to reduce this limit, but if the network condition needs to be more than default, it can improve it (perhaps adding memory).
TCP_TW_RECYCLE parameter type: Boolean opens fast Time-Wait Sockets recycling. The default is 1. Please do not modify this value at will not modify this value unless the recommendations or requirements of technical experts are obtained.
TCP_MAX_ORPHANS Parameter Type: The maximum number of TCP Sockets that is not part of any process can be handled. If you exceed this quantity, the connection that does not belong to any process will be immediately reset, and the warning message is displayed at the same time. The reason why this limit is set, purely to resist those simple DOS attacks, don't rely on this or artificial reduction this limit TCP_ABORT_ON_OVERFLOW parameter type: Boolean is too busy without accepting new connections, just send it like the other party RESET message, the default is False. This means that when overflow is because an accidental burst, the connection will recover. This option can only be used when you really can't have a connection request if you believe that the daemon does not complete the connection request.
TCP_SYNCOOKIES Parameter Type: Integer only has a role when config_syncookies are selected when compiling CONFIG_SYNCOOKIES. When the SYN wait queue appears, the other party sends Syncookies. The purpose is to prevent SYN FLOOD attacks. The default is False.
Note: This option cannot be used for high-load servers that do not receive the attack, if the SYNFLOOD message appears in the log, the survey has not received the SYNFLOOD attack, but the reason for the legal user's connection load, you should Adjust other parameters to improve server performance. Reference: TCP_MAX_SYN_BACKLOG, TCP_SYNACK_RETRIES, TCP_ABORT_ON_OVERFLOW.
Syncookie is seriously violated by TCP protocols, and does not allow TCP extensions, which may cause serious performance impact on certain services (such as SMTP forwarding).
TCP_STDURG Parameter Type: Integer Using Host Request Interpretation in TCP URG Pointer fields. Most of the hosts use old BSD explanations, so if you open it in Linux, or cause it to communicate correctly with them. The default is: false
TCP_MAX_SYN_BACKLOG Parameter Type: Integer requires the maximum number in the queue for those connected requests that still have not yet received client confirmation. For systems that exceed 128MB of memory, the default value is 1024, which is 128 below 128MB. If the server often overload, you can try to add this number. caveat! If you set this value to greater than 1024, it is best to modify the TCP_SYNQ_HSIZE inside Include / Net / TCP.H to keep TCP_SYNQ_HSIZE * 16 <= TCP_MAX_SYN_BACKLOG, and within the core.
TCP_WINDOW_SCALING Parameter Type: Boocoming, TCP / IP can accept up to 65535 bytes of Windows. For broadband networks, this value may be insufficient, which helps to improve broadband server performance by adjusting this parameter.
TCP_TimeStamps Parameter Type: Boolean TimeStamps is used in other things to prevent those forged sequence numbers. A 1G broadband line may repeatedly encounter an old SEQUENCE number with an OUT-OF-LINE value (if it is due to the last generation). TimeSTAMP will let it know that this is a 'old package'.
TCP_SACK Parameter Type: Boolean uses Selective Ack, which can be used to find specific lost datagrams - thus helps quickly recover status.
TCP_FACK Parameter Type: Booleans open FACK congestion avoidance and fast retransmission.
TCP_DSACK Parameter Type: Boolean allows TCP to send "two identical" SACK.
TCP_ECN Parameter Type: Boolean Direct Congestion Function of TCP.
TCP_REORDERING Parameter Type: The maximum number of datagrams of the integer TCP stream is 3.
TCP_RETRANS_COLLLAPSE Parameter Type: Boolean provides compatibility for certain BUGs for some bug printers.
TCP_WMEM - Vector: min, Default, Maxmin: Reserved for TCP Socket to send buffer memory minimum. Each TCP Socket can be used after it is recommended. The default is 4K. DEFAULT: Reserved for the TCP Socket to send buffer memory numbers, by default this value affects the net.core.wmem_default value used by other protocols, usually lower than the value of Net.Core.WMem_Default. The default is 16K.
MAX: The maximum memory used for TCP Socket sends buffers. This value does not affect Net.Core.WMEM_MAX, and today the parameter SO_SNDBUF is not affected by this value. The default is 128K.
TCP_RMEM - Vector: min, default, maxmin: TCP Socket reserves the number of memory to receive buffers, even if the TCP Socket will have so many amounts of memory for receiving buffers even if there is a memory in the case of memory. The default is 8K.
Default: Reserved for TCP Socket Reserve the number of memory used to receive buffers, by default this value affects the net.core.wmem_default value used by other protocols. This value determines that the TCP window size is 65535 in the case of the default value in TCP_ADV_WIN_SCALE, TCP_APP_WIN and TCP_APP_WIN: 0.
Max: The maximum memory used for TCP Socket receives buffers. This value does not affect Net.Core.WMEM_MAX, and today the parameter SO_SNDBUF is not affected by this value. The default is 128K. The default is 87380 * 2 bytes.
TCP_MEM - Vector: Low, Pressure, Highlow: When TCP uses a memory page number below this value, TCP does not consider releasing memory.
Pressure: When the TCP uses the number of memory pages that exceeds the value, TCP tries to stabilize its memory, enter the Pressure mode, exit the Pressure status when the memory consumption is below the LOW value.
HIGH: Allows all TCP sockets to queue the page amount of the buffer datagram.
In general, these values are calculated based on the number of system memory when the system is started.
TCP_APP_WIN - integer
A number of windows retain MAX (Window / 2 ^ TCP_APP_WIN, MSS) is buffered due to application buffering. When 0, it means no buffering is required. The default is 31.
TCP_ADV_WIN_SCALE - Integer Calculation Buffered Buffer BYTES / 2 ^ TCP_ADV_WIN_SCALE (if TCP_ADV_WIN_SCALE> 0) or bytes-bytes / 2 ^ (- TCP_ADV_WIN_SCALE) (if TCP_ADV_WIN_SCALE <= 0), the default is 2.
IP_LOCAL_PORT_RANGE - The two integers are scheduled for TCP and UDP, the first number is beginning, the second number is the last port number, the default value depends on the number of memory available in the system:> 128MB 32768-61000 <128MB OR EVEN LESS. This value determines the number of active connections, that is, the number of connections that can be concurrent.
ICMP_ECHO_IGNORE_ALL - Boolean ICMP_ECHO_IGNORE_BROADCASTS - Boolean type If any one is set to true (> 0), the system will ignore all ICMP Echo requests or requests for the broadcast address.
ICMP_DESTUNREACH_RATE - Integer ICMP_PARAMPROB_RATE - Integer ICMP_TimeExceed_Rate - Integer ICMP_ECHOREPLY_RATE - Integer (not enabled per default) limits the maximum rate of ICMP datagram that illustrates the specific target. 0 means there is no restriction, otherwise the number of allowed sent in the Jiffies data unit is indicated. ICMP_IGNORE_BOGUS_ERROR_RESPONSES - Boolean Type Some routers are contrary to the RFC 1122 standard, which responds to the broadcast frames. This violation of behavior is usually recorded in the system log in a alarm. If this option is set to true, the kernel does not record this warning message. The default is false.
(1) JIFFIE: The internal time unit used by the kernel is 1/100 s on the I386 system, 1/10244 in alpha. The Hz defined in /usr/include/asm/param.h has a value of a particular system.
Conf / interface / *: conf / all / * is specific to modify all interface settings, IS Special and Changes The Settings for All Interfaces.change Special Settings Per interface.
Log_martians - Boolean Type Record Dataset Dataset Data Reports to the kernel log.
ACCEPT_REDIRECTS - Boolean Type Transcendent Receive ICMP Redirection Messages. For the host, the default is true, and the default value is false for the router.
Forwarding - Boolean type opens forwarding function in this interface
The MC_Forwarding-Boolean type is multicast route. Only the kernel compiles with config_mroute and the routing service program is valid in running this parameter.
Proxy_arp - Boolean Type Opens Proxy ARP.
Shared_media - Boolean Send (Router) or Receive (Host) RFC1620 Shared Media Redirection. Cover the value of IP_Secure_Redirects. The default is True.
Secure_Redirects - Boolean type only receives the ICMP redirection message sent to the gateway in the default gateway list, the default value is true.
Send_redirects - Boolean type If it is Router, send redirection messages, the default is true
Bootp_relay - The Boolean receiving source address is 0.b.c.d, the destination address is not a native datagram. Used to support the BootP forwarding service process, the process will capture and forward the package. The default is False, which is not currently implemented.
Accept_source_route - Boolean Type Receives Datashers with SRR options. For the host, the default is false, and the default value is TRUE for use as a router.
RP_FILTER Parameter Type 1 - Source address verification (defined in RFC 1812) by reverse path. This option is recommended for a single-hole host and the STUB network router. 0 - The source address verification is not taken back to the reverse path. The default is 0. Some releases are automatically opened at startup.
