This page is READ-ONLY. It is generated from the old site.
All timestamps are relative to 2013 (when this page is generated).
If you are looking for TeX support, please go to VietTUG.org

freebsd tuning: part 1

DOS
Added by about 3 years ago

{{{}}}

Ref.:
Local file: freebsd-ddos.html

  • net.inet.tcp.msl=7500: net.inet.tcp.msl defines the Maximum Segment Life. This is the maximum amount of time to wait for an ACK in reply to a SYN-ACK or FIN-ACK, in milliseconds. If an ACK is not received in this time, the segment can be considered "lost" and the network connection is freed. There are two implications for this. When you are trying to close a connection, if the final ACK is lost or delayed, the socket will still close, and more quickly. However if a client is trying to open a connection to you and their ACK is delayed more than 7500ms, the connection will not form. RFC 753 defines the MSL as 120 seconds (120000ms), however this was written in 1979 and timing issues have changed slightly since then. Today, FreeBSD's default is 30000ms. This is sufficient for most conditions, but for stronger DoS protection you will want to lower this to 7500, or maybe even less.
  • net.inet.tcp.blackhole=2: net.inet.tcp.blackhole defines what happens when a TCP packet is received on a closed port. When set to '1', SYN packets arriving on a closed port will be dropped without a RST packet being sent back. When set to '2', all packets arriving on a closed port are dropped without an RST being sent back. This saves both CPU time because packets don't need to be processed as much, and outbound bandwidth as packets are not sent out.
  • net.inet.udp.blackhole=1: net.inet.udp.blackhole is similar to net.inet.tcp.blackhole in its function. As the UDP protocol does not have states like TCP, there is only a need for one choice when it comes to dropping UDP packets. When net.inet.udp.blackhole is set to '1', all UDP packets arriving on a closed port will be dropped.
  • net.inet.icmp.icmplim=50: The name 'net.inet.icmp.icmplim' is somewhat misleading. This sysctl controls the maximum number of ICMP "Unreachable" and also TCP RST packets that will be sent back every second. It helps curb the effects of attacks which generate a lot of reply packets.
  • kern.ipc.somaxconn=32768: kern.ipc.somaxconn limits the maximum number of sockets that can be open at any one time. The default here is just 128. If an attacker can flood you with a sufficiently high number of SYN packets in a short enough period of time, all of your possible network connections will be used up, thus successfully denying your users access to the service.

Comments