来自UNIXy的一篇最近的文章提出了一个强化Linux防御DDoS攻击的build议攻击。
sysctl.conf例子
net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 kernel.pid_max = 65536 net.ipv4.ip_local_port_range = 9000 65000
任何其他build议,加强Linux对DDoS攻击?
您还可以closures读/写套接字缓冲区,这将减less每个入站连接所需的内存量。
http://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php
你必须真正的testing你的应用程序和你的硬件(是的,这些设置可能会导致奇怪的副作用,取决于你的网卡),因为根据你的stream量,你可能会比你节省更多。
您也可以设置以下内容。
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss # of TCP functionality/features under normal conditions. When flood # protections kick in under high unanswered-SYN load, the system # should remain more stable, with a trade off of some loss of TCP # functionality/features (eg TCP Window scaling). net.ipv4.tcp_syncookies=1 # Ignore source-routed packets net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 # Ignore ICMP redirects from non-GW hosts net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=1 net.ipv4.conf.default.secure_redirects=1 # Don't pass traffic between networks or act as a router net.ipv4.ip_forward=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks. net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 # Ignore ICMP broadcasts to avoid participating in Smurf attacks net.ipv4.icmp_echo_ignore_broadcasts=1 # Ignore bad ICMP errors net.ipv4.icmp_ignore_bogus_error_responses=1 # Log spoofed, source-routed, and redirect packets net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 # RFC 1337 fix net.ipv4.tcp_rfc1337=1 # Addresses of mmap base, heap, stack and VDSO page are randomized kernel.randomize_va_space=2 # Reboot the machine soon after a kernel panic. kernel.panic=10