ÈÃLinuxϵͳ·ÀÖ¹syn¹¥»÷

ÐéÄâÖ÷»ú·þÎñÉÌÔÚÔËÓª¹ý³ÌÖпÉÄÜ»áÊܵ½ºÚ¿Í¹¥»÷£¬³£¼ûµÄ¹¥»÷·½Ê½ÓÐSYN£¬DDOSµÈ¡£Í¨¹ý¸ü»»IP£¬²éÕÒ±»¹¥»÷µÄÕ¾µã¿ÉÄܱܿª¹¥»÷£¬µ«ÊÇÖжϷþÎñµÄʱ¼ä±È½Ï³¤¡£±È½Ï³¹µ×µÄ½â¾ö·½·¨ÊÇÌíÖÃÓ²¼þ·À»ðǽ¡£²»¹ý£¬Ó²¼þ·À»ðǽ¼Û¸ñ±È½Ï°º¹ó¡£¿ÉÒÔ¿¼ÂÇÀûÓÃLinux ϵͳ±¾ÉíÌṩµÄ·À»ðǽ¹¦ÄÜÀ´·ÀÓù¡£
µÖÓùSYN SYN¹¥»÷ÊÇÀûÓÃTCP/IPЭÒé3´ÎÎÕÊÖµÄÔ­Àí£¬·¢ËÍ´óÁ¿µÄ½¨Á¢Á¬½ÓµÄÍøÂç°ü£¬µ«²»Êµ¼Ê½¨Á¢Á¬½Ó£¬×îÖÕµ¼Ö±»¹¥»÷·þÎñÆ÷µÄÍøÂç¶ÓÁб»Õ¼Âú£¬ÎÞ·¨±»Õý³£Óû§·ÃÎÊ¡£
LinuxÄÚºËÌṩÁËÈô¸ÉSYNÏà¹ØµÄÅäÖã¬ÓÃÃüÁ sysctl -a | grep syn ¿´µ½£º
net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_syn_retries = 5
tcp_max_syn_backlogÊÇSYN¶ÓÁеij¤¶È£¬tcp_syncookiesÊÇÒ»¸ö¿ª¹Ø£¬ÊÇ·ñ´ò¿ªSYN Cookie ¹¦ÄÜ£¬¸Ã¹¦ÄÜ¿ÉÒÔ·ÀÖ¹²¿·ÖSYN¹¥»÷¡£tcp_synack_retriesºÍtcp_syn_retries¶¨ÒåSYN µÄÖØÊÔ´ÎÊý¡£¼Ó´óSYN¶ÓÁг¤¶È¿ÉÒÔÈÝÄɸü¶àµÈ´ýÁ¬½ÓµÄÍøÂçÁ¬½ÓÊý£¬´ò¿ªSYN Cookie¹¦ÄÜ¿ÉÒÔ×èÖ¹²¿·Ö SYN¹¥»÷£¬½µµÍÖØÊÔ´ÎÊýÒ²ÓÐÒ»¶¨Ð§¹û¡£
µ÷ÕûÉÏÊöÉèÖõķ½·¨ÊÇ£º
Ôö¼ÓSYN¶ÓÁг¤¶Èµ½2048£º
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
´ò¿ªSYN COOKIE¹¦ÄÜ£º
sysctl -w net.ipv4.tcp_syncookies=1
½µµÍÖØÊÔ´ÎÊý£º
sysctl -w net.ipv4.tcp_synack_retries=3 sysctl -w net.ipv4.tcp_syn_retries=3
ΪÁËϵͳÖØÆô¶¯Ê±±£³ÖÉÏÊöÅäÖ㬿ɽ«ÉÏÊöÃüÁî¼ÓÈëµ½/etc/rc.d/rc.localÎļþÖС£
 
# vi /etc/sysctl.conf
 
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_rmem = 32768
net.ipv4.tcp_wmem = 32768
 
·Àֹͬ²½°üºéË®£¨Sync Flood£©
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
Ò²ÓÐÈËд×÷
#iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
--limit 1/s ÏÞÖÆsyn²¢·¢ÊýÿÃë1´Î£¬¿ÉÒÔ¸ù¾Ý×Ô¼ºµÄÐèÒªÐÞ¸Ä
·ÀÖ¹¸÷Öֶ˿ÚɨÃè
# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
PingºéË®¹¥»÷£¨Ping of Death£©
# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCE