Linux,possible SYN flooding
2014-11-07 18:47
204 查看
// 用tail查看系统日志,默认值查看最后10行 # tail /var/log/messages Nov 7 17:02:26 www kernel: possible SYN flooding on port 54104. Sending cookies. Nov 7 17:03:26 www kernel: possible SYN flooding on port 54104. Sending cookies. Nov 7 17:04:26 www kernel: possible SYN flooding on port 54104. Sending cookies. Nov 7 17:05:26 www kernel: possible SYN flooding on port 54104. Sending cookies. Nov 7 17:06:26 www kernel: possible SYN flooding on port 54104. Sending cookies. Nov 7 17:07:26 www kernel: possible SYN flooding on port 54104. Sending cookies. Nov 7 17:08:26 www kernel: possible SYN flooding on port 54104. Sending cookies. Nov 7 17:09:26 www kernel: possible SYN flooding on port 54104. Sending cookies. Nov 7 17:10:26 www kernel: possible SYN flooding on port 54104. Sending cookies. Nov 7 17:11:26 www kernel: possible SYN flooding on port 54104. Sending cookies. // 以上是消息显示:可能遭受SYN洪水攻击。 // 查看所有TCP连接数,按状态统计并排序 # netstat -ant | awk '/^tcp/{print $NF}' | sort | uniq -c | sort -nr 1595 TIME_WAIT 1437 ESTABLISHED 929 FIN_WAIT2 790 FIN_WAIT1 101 CLOSING 69 SYN_RECV 33 LAST_ACK 15 LISTEN 2 CLOSE_WAIT // 统计状态为SYN_RECV的TCP连接数 # netstat -ant | awk '{print $NF}' | grep SYN_RECV | wc -l 69 // 其数值并不多(没有到成千上万的地步),排除洪水攻击;可能是“并发连接过多” // 用lsof命令查看网络(i)连接打开的文件数 # lsof -ni | wc -l 2207 // 查看SOCKET状态,以及数量 # cat /proc/net/sockstat sockets: used 2273 TCP: inuse 1636 orphan 1039 tw 8795 alloc 3115 mem 873 UDP: inuse 2 mem 2 // 建议修改tcp_max_syn_backlog, tcp_synack_retries. // 查看内核参数 tcp_max_syn_backlog;<2207,所以可能不够了 # sysctl -a | grep tcp_max_syn_backlog net.ipv4.tcp_max_syn_backlog = 2048 // 查看内核参数 tcp_synack_retries // 按上方向键,找到上一条命令;按ctl+w清除最后一个单词; // 再复制tcp_synack_retries,然后再shift+ins插入 # sysctl -a | grep tcp_synack_retries net.ipv4.tcp_synack_retries = 5 // 打开sysctl配置文件,修改参数 # vi /etc/sysctl.conf #//当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0 net.ipv4.tcp_syncookies = 1 #//SYN队列的长度,默认为1024 net.ipv4.tcp_max_syn_backlog = 4096 #//允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭 net.ipv4.tcp_tw_reuse = 0 #//开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭 net.ipv4.tcp_tw_recycle = 1 #//如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间,默认60 net.ipv4.tcp_fin_timeout = 30 #//当keepalive起用的时候,TCP发送keepalive消息的频度。缺省是2小时(7200) net.ipv4.tcp_keepalive_time = 1200 #//用于向外连接的端口范围。缺省情况下很小:32768到61000 net.ipv4.ip_local_port_range = 1024 65000 #//同时保持TIME_WAIT套接字的最大数量,如果超过这个数字,TIME_WAIT套接字将立刻被清除并打印警告信息。默认为180000 net.ipv4.tcp_max_tw_buckets = 5000 // 让修改生效 # sysctl -p测试发现,这样的修改,并没有实际效果。该LOG仍然会出现。
参考:redhat 性能优化参考(http://www.linuxdiyf.com/viewarticle.php?id=66025)
相关文章推荐
- kernel: possible SYN flooding on port 80. Sending cookies
- possible SYN flooding on port 80. Sending cookies
- possible SYN flooding on port 7000. Sending cookies
- Possible SYN flooding on port 80. Dropping request.
- kernel: possible SYN flooding on port 80. Sending cookies.
- possible SYN flooding on port 80. Sending cookies
- kernel: TCP: Possible SYN flooding on port 80. Sending cookies.
- possible SYN flooding on port 7244. Sending cookie
- kernel: possible SYN flooding on port 80. Sending cookies.
- possible SYN flooding on port 80. Sending cookies
- linux kernel: possible SYN flooding on port 8080. Sending cookie
- possible SYN flooding on port 80. Sending cookies(转载)
- 内核日志 TCP: Possible SYN flooding on port
- possible SYN flooding on port 80. Sending cookies
- possible SYN flooding on port 3690 Sending cookies
- 优化LINUX内核阻挡SYN洪水攻击
- Linux 防御SYN_RECV
- Why does Red Hat Enterprise Linux system does not respond to SYN requests intermittently ?
- linux iptables 防止 syn ddos ping 等 攻击
- syn flag flooding防御