Below
are some of the kernel values which could mitigate DDOS and SYN floods
to a large extend. You can add these values to /etc/sysctl.conf file or
use "sysctl -w" to make online changes.
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=332000
sysctl -w net.ipv4.tcp_fin_timeout=15
sysctl -w net.ipv4.tcp_synack_retries=5
sysctl -w net.ipv4.tcp_fin_timeout=15
sysctl -w net.ipv4.tcp_keepalive_time=1500
sysctl -w net.ipv4.tcp_sack=0
sysctl -w net.ipv4.tcp_max_tw_buckets=1440000
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=20
sysctl -w net.ipv4.tcp_keepalive_time=1800
sysctl -w net.ipv4.tcp_fin_timeout=20
sysctl -w net.ipv4.tcp_keepalive_time=1800
sysctl -w net.ipv4.tcp_keepalive_intvl=40
sysctl -w net.ipv4.tcp_tw_recycle=1
sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.inet_peer_gc_maxtime=240
sysctl -w net.ipv4.inet_peer_maxttl=500
sysctl -w net.ipv4.inet_peer_minttl=80
We will be adding more sysctl tweaks soon.
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=332000
sysctl -w net.ipv4.tcp_fin_timeout=15
sysctl -w net.ipv4.tcp_synack_retries=5
sysctl -w net.ipv4.tcp_fin_timeout=15
sysctl -w net.ipv4.tcp_keepalive_time=1500
sysctl -w net.ipv4.tcp_sack=0
sysctl -w net.ipv4.tcp_max_tw_buckets=1440000
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=20
sysctl -w net.ipv4.tcp_keepalive_time=1800
sysctl -w net.ipv4.tcp_fin_timeout=20
sysctl -w net.ipv4.tcp_keepalive_time=1800
sysctl -w net.ipv4.tcp_keepalive_intvl=40
sysctl -w net.ipv4.tcp_tw_recycle=1
sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.inet_peer_gc_maxtime=240
sysctl -w net.ipv4.inet_peer_maxttl=500
sysctl -w net.ipv4.inet_peer_minttl=80
We will be adding more sysctl tweaks soon.
No comments:
Post a Comment