如何避免 syn cookies

如何避免 syn cookies

我有一个 (TCP) 服务器,每秒处理大量新连接 (1000 - 5000)。这会导致发送 syn cookies:

kernel: possible SYN flooding on port 2710. Sending cookies. 

Syn cookies 并不是那么糟糕(在本例中),但我该如何避免这种情况。我可以打开哪些应用程序或内核旋钮?关于这方面的文档似乎非常少。内核是 Linux 2.6.32 x64。

答案1

syncookies 由 中的设置控制/proc/sys/net/ipv4/tcp_syncookies,您可以阅读文档存在于Linux内核中了解更多详情。具体来说,以下是我认为相关的部分:

    Note, that syncookies is fallback facility.
    It MUST NOT be used to help highly loaded servers to stand
    against legal connection rate. If you see SYN flood warnings
    in your logs, but investigation shows that they occur
    because of overload with legal connections, you should tune
    another parameters until this warning disappear.
    See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

相关内容