Linux内核中的TCP SYN Flooding检测方法

前端之家收集整理的这篇文章主要介绍了Linux内核中的TCP SYN Flooding检测方法前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
Linux内核检测到SYN Flooding时,它会记录如下消息:

端口80上可能发生SYN泛洪.发送cookie

有谁知道内核用来检测这个的确切方法

解决方法

如果我正确读取sysctl / tcp内容,当未确认的syn请求数超过net.ipv4.tcp_max_syn_backlog的值时,它会跳闸.特别:

The tcp_max_syn_backlog variable tells
your Box how many SYN requests to keep
in memory that we have yet to get the
third packet in a 3-way handshake
from. The tcp_max_syn_backlog variable
is overridden by the tcp_syncookies
variable,which needs to be turned on
for this variable to have any effect.
If the server suffers from overloads
at peak times,you may want to
increase this value a little bit.

我认为这很简单的原因是来自tcp_syncookies的文本:

The tcp_syncookies variable is used to
send out so called syncookies to hosts
when the kernels syn backlog queue for
a specific socket is overflowed. This
means that if our host is flooded with
several SYN packets from different
hosts,the syn backlog queue may
overflow,and hence this function
starts sending out cookies to see if
the SYN packets are really legit.

对我而言,它听起来真的像是具有>的syn队列一样简单. tcp_max_syn_backlog未完成的连接.

原文链接:https://www.f2er.com/linux/397740.html

猜你在找的Linux相关文章