This is the sixth day of my participation in the August More text Challenge. For details, see: August More Text Challenge
TCP parameters in the Linux kernel
/proc/sys/net/ipv4/
/proc/sys/net/ipv4/holds the file for TCP parameters. The contents of the directory are used to add network Settings, many of which can be used to block attacks on the system or to set the routing capabilities of the system.
Tcp_syn_retries Indicates the number of times a SYN connection is retransmitted if it times out
Next we test this with sysctl net.ipv4.tcp_syn_retries=2
To verify, let’s SSH a host that doesn’t exist, because SSH is also based on TCP
You can view that two data packets are retransmitted by using the Wireshark
Net.ipv4. tcp_WINDOW_Scaling Enables or disables the window expansion factor option
Net.ipv4. tcp_SACK Enables or disables the Selective Acknowledgement (SACK) option
| The name of the | The default value | Recommended values | describe |
|---|---|---|---|
tcpsyn_retries |
5 | 1 | How many cores must be sent for a new connectionSYNThe connection request was aborted. Should not be greater than255, the default value is5Corresponds to the time of about 180 milliseconds. For a network with heavy load and good physical communication, this value is high and can be changed to2. This value is only for external connections, and for incoming connections, it is determined by tcp_retries1.) |
tcp_synack_retries |
5 | 1 | For the remote connection request SYN, the kernel sendsSYN+ACKPacket to acknowledge receipt of the last SYN connection request packet. This is the second step of the so-called three-way handshake mechanism. This determines the number of SYN+ACK’s sent by the kernel before it abandons again. Should not be greater than255, the default value is5, corresponding to about 180 seconds. |
tcp_keepalive_time |
7200 | 600 | The TCP sendkeepaliveInterval (seconds) for detecting messages, used to verify whether the TCP connection is valid. Prevent the attack that the two sides establish a connection but do not send data. |
tcp_keepalive_probes |
9 | 3 | The TCP sendkeepaliveInterval (seconds) for detecting messages, used to verify whether the TCP connection is valid. |
tcp_keepalive_intvl |
74 | 15 | The interval (seconds) between resends of a probe message when no response is obtained. The default value is75Seconds. (This value is a little too large for normal applications, so it can be reduced as needed. In particular, web servers need to make this value smaller.15Is a good value.) |
tcp_retries1 |
3 | 3 | The number of retries required before abandoning a TCP connection request. The minimum value specified by the RFC is3 |
tcp_retries2 |
15 | 5 | How many retries are required before an active (established) TCP connection is discarded. The default value is15, according to theRTOIs equivalent to 13-30 minutes (RFC1122 states that it must be greater than 100 seconds) (this value can be appropriately reduced according to the current network Settings, my network modified to5) |
tcp_orphan_retries |
7 | 3 | How many retries must be performed before the TCP connection is discarded by the local end. The default value is7One, equal to 50 seconds to 16 minutes, depending on RTO. If your system is a heavily loaded Web server, you may want to lower this value, because these types of sockets can consume a lot of resources. In addition to the testtcp_max_orphans. |
tcp_fin_timeout |
60 | 2 | For the disconnected socket connection on the local end, TCP remains inFIN-WAIT-2Time of state. The connection may be disconnected or never terminated, or an unexpected process may die. The default value is 60 秒 |
tcp_max_tw_buckets |
180000 | 36000 | The maximum that the system can process at the same timetimewait socketsThe number. And if you go beyond that,time-wait socketWill be immediately removed and display a warning message. The reason for setting this limit is purely to resist the simpleDoSAttack, however, if the network condition requires more than the default, you can increase it (and perhaps increase memory). (In fact, it’s best to increase this value when doing NAT.) |
tcp_tw_recycle |
0 | 1 | Open the quickTIME-WAIT socketsRecycling. Do not change this value unless advised or requested by a technical expert. (For NAT, it is recommended to turn it on.) |
tcp_tw_reuse |
0 | 1 | Indicates whether to allow re-application of theTIME-WAITState-based sockets are used for new TCP connections (this is very helpful for quick restarts of some services, which indicate that the port is already in use) |
tcp_max_orphans |
8192 | 32768 | The system can handle things that do not belong to any processTCP socketsMaximum quantity. If this number is exceeded, connections that are not part of any process are immediately reset with a warning message. The reason for setting this limit is purely to resist the simpleDoS Attack, never rely on this or artificially lower the limit. Increase this value if the memory is large. (This value is set to 32768 in Redhat AS version, but it is recommended to change this value to 2000 in many firewalls.) |
tcp_abort_on_overflow |
0 | 0 | When the daemon is too busy to accept a new connection, just as the other party sendsresetMessage, the default isfalse. This means that when the cause of the overflow is an accidental burst, then the connection will be restored to its state. Turn this option on only if you are sure that the daemon really cannot complete the connection request. This option will affect the use of the client. Treat what is already fullsendmail.apacheThis allows the client to terminate the connection very quickly, giving the server a chance to process the buffering of the existing connection, so many firewalls recommend turning it on. |
tcp_synookies |
0 | 1 | Only when the kernel is compiledCONFIG_SYNCOOKIESWhen it comes into play. Sent to the peer when the SYN waiting queue overflowssyncookies. The purpose is to preventsyn floodAttack. |
tcp_stdurg |
0 | 0 | useTCP urg pointer Field in the host request explain function. Most hosts use the old BSD interpretation, so if you open it in Linux, you may not be able to communicate with them properly. |
tcp_max_syn_backlog |
1024 | 16384 | The maximum number of connection requests that have not yet been acknowledged by the client needs to be stored in the queue. For systems with more than 128Mb of memory, the default value is1024If the value is lower than 128 MB, the value is 128. If the server is frequently overloaded, you can try to increase this number. If you set this value to greater than 1024, it is best to change itinclude/net/tcp.hThe inside of theTCP_SYNQ_HSIZEIn order to keepTCP_SYNQ_HSIZE*16(SYN FloodThe attack uses THE TCP protocol to spread the flaws of handshake, forges the source IP address and sends a large number of packetsTCP-SYNThe half-open connection to the target system eventually causes the target system Socket queue to run out of resources and cannot accept new connections. To counter this attack, modern Unix systems typically buffer (rather than resolve) the attack with multi-connection queue processing, using a basic queue for normal fully connected applications (Connect() and Accept()) and a separate queue for half-open connections. Dual-queue processing, when combined with other system kernel measures such as SYN-cookies /Caches, can effectively mitigate small-scale Syn Flood attacks. |
tcp_window_scaling |
1 | 1 | This file specifies whether the sliding window size of the TCP/IP session is variable. The parameter value is a Boolean value. If it is 1, it is variable; if it is 0, it is immutable. TCP/IP usually uses the maximum window to reach65535Byte, which may be too small for high-speed networks, can increase the TCP/IP sliding window size by several orders of magnitude, thereby improving data transmission capability (RFC 1323). |
tcp_timestamps |
1 | 1 | TimestampsIt’s used among other things to protect against forgeriessequenceNumber. A 1G broadband line may meet the band againout-of-lineThe old sequence number of the value (if it was generated last time).TimestampLet him know it’s an old packet. This file indicates whether to enable pairs in a more precise way than timeout resend (RFC 1323)RTTThe calculation of; This option should be enabled for better performance. |
tcp_sack |
1 | 1 | useSelective ACK, which can be used to find specific missing datagrams – thus facilitating a quick state recovery. This file indicates whether to enable Selective Acknowledgment, which can improve performance by selectively answering received packets out of order, allowing senders to send only missing packet segments. This option should be enabled for WAN communications, but this increases CPU usage. |
tcp_fack |
1 | 1 | Open theFACKCongestion avoidance and fast retransmission. Note that whentcp_sackWhen set to 0, this value is not valid even if it is set to 1, which is a reliable core function of TCP connections |
tcp_dsack |
1 | 1 | Allows TCP to send “two identical” messagesSACK. |
tcp_ecn |
0 | 0 | TCP direct congestion notification. |
tcp_reordering |
3 | 6 | Maximum number of datagrams to reorder in a TCP stream. Generally, it is recommended to adjust this value slightly larger |
tcp_retans_collapse |
1 | 0 | Provides bug compatibility for some buggy printers. This support is generally not needed and can be turned off |
Tcp_wmem: mindefaultmax |
4096 16384 131072 | 8192 131072 16777216 | Send cache Settings.min: The minimum memory reserved for the TCP socket for sending buffering. Each TCP socket can be used after the suggestion. The default value is 4096.default: Specifies the amount of memory reserved for the TCP socket to use as the send buffer. By default, this value affects the usage of other protocolsnet.core.wmem_defaultValue, usually lowIn.net. Core. Wmem_defaultThe value of the. The default value is16384(16K).max: Indicates the maximum memory used for TCP socket sending buffering. This value does not affectnet.core.wmem_max, “Static” select parametersSO_SNDBUFIs not affected by this value. The default value is131072(128K). For the server, increasing the value of this parameter is useful for sending data |
Tcprmem: mindefaultmax |
4096 87380 174760 | 32768 131072 16777216 | Receive cache Settings. withtcp_wmem |
Tcp_mem: mindefaultmax |
Calculate by memory | 786432 1048576 1572864 | low: If THE number of memory pages used by TCP is lower than this value, TCP does not consider freeing memory. That is, there is no memory pressure below this value. (Ideally, this value should match the second value specified to tcp_wmem – the second value indicates the maximum page size times the maximum number of concurrent requests divided by the page size (131072 300/4096).)pressure: When the number of memory pages used by TCP exceeds the value, TCP tries to stabilize its memory usage and enters pressure mode. When the memory consumption falls below the value of low, TCP exits pressure state. (Ideally this value should be the maximum total buffer size that TCP can use (204800 300/4096).)highThe number of pages allowed to queue buffer datagrams using all TCP Sockets. If this value is exceeded, the TCP connection will be rejected, which is why don’t make it too conservative (512000 * 300/4096). In this case, the value provided is great, it can handle as many connections as 2.5 times what is expected; Or make existing connections capable of transmitting 2.5 times as much data. |
tcp_app_win |
31 | 31 | keepmax(window/2^tcp_app_win, mss)Number of Windows due to application buffering. A value of 0 indicates that no buffering is required. |
tcp_adv_win_scale |
2 | 2 | Calculate the buffer overhead. |
tcp_low_latency |
0 | 0 | Allows the TCP/IP stack to adapt to low latency in high throughput cases; This option is generally disabled. |
tcp_westwood |
0 | 0 | Enabling a send-side congestion control algorithm that maintains an assessment of throughput and attempts to optimize overall bandwidth utilization; This option should be enabled for WAN communications. |
tcp_bic |
0 | 0 | Enabled for fast long distance networks Binary Increase Congestion; This allows for better use of links that operate at GB speed; This option should be enabled for WAN communications. |
ip_forward |
0 | 1 | NATIP forwarding support must be enabled to write this value1 |
ip_local_port_range:minmax |
32768, 61000, | 1024, 65000, | Indicates the range of ports used for outbound connections, which is small by default. This range is also indirectly used for THE SIZE of the NAT table. |
ip_conntrack_max |
65535 | 65535 | Maximum value supported by the systemipv4Number of connections, default65536(in fact, this is the theoretical maximum), and this value depends on how much memory you have,1GThe above memory values are default65536 |
/proc/sys/net/core/
The /proc/sys/net/core/directory contains a number of Settings that control the Linux kernel’s interaction with the network layer, that is, how the kernel responds when the network does something.
| The name of the | The default value | Recommended values | describe |
|---|---|---|---|
netdev_max_backlog |
1024 | 16384 | The maximum number of packets that can be sent to a queue when the rate at which each network interface receives packets is faster than the rate at which the kernel processes those packets. This value needs to be adjusted higher for heavy load servers. |
somaxconn |
128 | 16384 | Used to limit the maximum number of packets in the listening queue, beyond which link timeout or retransmission will be triggered. The Listen function backlog in web applications gives us kernel arguments by defaultnet.core.somaxconnLimited to128, as defined by nginxNGX_LISTEN_BACKLOGThe default is511, so it is necessary to adjust this value. For busy servers, increasing this value can help network performance |
wmem_default |
129024 | 129024 | Default send window size (bytes) |
rmem_default |
129024 | 129024 | Default receive window size (in bytes) |
rmem_max |
129024 | 873200 | Maximum TCP data receive buffer (bytes) |
wmem_max |
129024 | 873200 | Maximum TCP data send buffer (bytes) |
/proc/sys/net/netfilter/is the configuration of netfilter parameters. For details, see the Linux kernel documentation
Method to modify kernel parameters
- use
echo valueMode is appended directly to the file. Such asecho "1" > /proc/sys/net/ipv4/tcp_syn_retries, but the default value is restored after the device restarts. - Add the parameter to
/etc/sysctl.conf, and then executesysctl -pThis parameter takes effect. This way is permanent. - use
systclCommand, for example, to change the SYN retransmission timessysctl net.ipv4.tcp_syn_retries=n
View the statistics of the Linux system
Replace eth0 below with the network card you need to check
Sys/class/net/eth0 / statistics/rx_packets number of packets received sys/class/net/eth0 / statistics/tx_packets transfer number of packets Sys/class/net/eth0 / statistics/rx_bytes receives the number of bytes sys/class/net/eth0 / statistics/tx_bytes transmission of bytes Sys/class/net/eth0 / statistics/rx_dropped when you receive package discarded packets sys/class/net/eth0 / statistics/tx_dropped contract when discarded packetsCopy the codeThe parameters of the Linux network adapter can be/sys/class/net/Enter the corresponding nic directory to view, such as nicThe MAC address.Rate (speed).MTU, etc.
The resources
Linux TCP/IP Tuning -Linux kernel parameter annotations
Linux kernel TCP/IP parameter optimization
Recommended reading
Linux Service Management!
Metasploit Penetration Framework for network security personnel must know!
Penetration Essential -Metasploit common module usage
Server Hardware Guide!