Friends,
A tcp_synack_retries variable is responsible for controlling the number of retransmissions in Linux operating system. Its default value is set to 5 for most Linux operating systems, which causes the half-open connection to be removed after 3 minutes. In the below table there are calculations for other values.
Although I am having limited experience in Linux so thought of publishing Solaris Tuning Parameters First. While got lots ofrequest for Linux so compliling the hardning parameters of Linux First. Please feel free to add your comments if some thing I missed in this part.
Linux
operating systems, has implemented a SYN cookies mechanism which can be enabled
in the following way:
# echo 1
> /proc/sys/net/ipv4/tcp_syncookies
Note that
to make this change permanent we need to create a startup file that sets this
variable. We must do the same operation for other UNIX variables described because the values for these variables will return to default upon
system reboot.
SYN
cookies protection is especially useful when the system is under a SYN flood
attack and source IP addresses of SYN packets are also forged (a SYN spoofing
attack). This mechanism allows construction of a packet with the SYN and ACK
flags set and which has a specially crafted initial sequence number (ISN),
called a cookie. The value of the cookie is not a pseudo-random number
generated by the system but instead is the result of a hash function. This hash
result is generated from information like: source IP, source port, destination
IP, destination port plus some secret values. During a SYN attack the system
generates a response by sending back a packet with a cookie, instead of
rejecting the connection when the SYN queue is full. When a server receives a
packet with the ACK flag set (the last stage of the three-way handshake
process) then it verifies the cookie. When its value is correct, it creates the
connection, even though there is no corresponding entry in the SYN queue. Then
we know that it is a legitimate connection and that the source IP address was
not spoofed. It is important to note that the SYN cookie mechanism works by not
using the backlog queue at all, so we don't need to change the backlog queue
size. More information about SYN cookies can be found at
http://cr.yp.to/syncookies.html.
Also note
that the SYN cookies mechanism works only when the CONFIG_SYNCOOKIES option is
set during kernel compilation.
A
tcp_max_syn_backlog variable defines how many half-open connections can be kept
by the backlog queue. For instance 256 is a total number of half-open
connections handled in memory by Linux RedHat 7.3. The TCP/IP stack variables
can be configured by sysctl or standard Unix commands. The following example
shows how to change the default size of the backlog queue by the sysctl
command:
# sysctl
-w net.ipv4.tcp_max_syn_backlog="2048"
A tcp_synack_retries variable is responsible for controlling the number of retransmissions in Linux operating system. Its default value is set to 5 for most Linux operating systems, which causes the half-open connection to be removed after 3 minutes. In the below table there are calculations for other values.
# sysctl -w net.ipv4.tcp_synack_retries="2048"
Value
|
Time of retransmission
| Total time to keep half-open connections in the backlog queue |
1
|
in 3rd second
|
9 seconds
|
2
|
in 3rd and 9th second
|
21 seconds
|
3
|
in 3rd , 9th and 21st second
|
45 seconds
|