We can see in the linux sysctl.conf configuration where you can modify kernel parameters to achieve the purpose of optimizing the function
**
Modify the port connected to the external
Default 32768
**
net.ipv4.ip_local_port_range
**
Modify syn waiting queue length
The default is 1024
to modify the number of network connections may receive wait for a connection.
**
net.ipv4.tcp_max_syn_backlog
**
Close ipv6:
**
First, see if you can open the ipv6 (ifconfig route netstat command will not say) by ifconfig
run netstat will find no relevant ipv6 a
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
**
Prevent amplification attacks
**: hackers use a DNS server allows an attacker traffic due to flooding becomes overwhelmed (larger than the response packet request packet), eventually leading to a denial of service
net.ipv4.icmp_echo_ignore_broadcasts = 1 to prevent denial of service attacks, is set to 1 to ignore these broadcast messages subnets
**
Open syn syn cookie prevent attacks
A small amount to prevent the syn attack: Usually client sends syn to the server causes the server to open a data area (estimated to be in order in the semi-connected state may store data from the client bar) - into - "Server returns the syn calculated after receiving syn out of the cookie comparative success was finally established when accepted in the next
**
net.ipv4.tcp_syncookies = 1
**
Indicate on reuse
TIME-WAIT sockets allow re-used for new TCP connection, the default is zero disables;
requires tcp_timestamps
solve the problem TIME_OUT port 65535 directly affect much processing capacity
**
net.ipv4.tcp_tw_reuse. 1 =
**
Enable the rapid recovery
Represents a rapid recovery of the TCP connection open TIME-WAIT sockets, the default is 0, meaning off;
**
net.ipv4.tcp_tw_recycle. 1 =
**
Modify timeout time
Modify the system default TIMEOUT time.
**
net.ipv4.tcp_fin_timeout
**
Modify sending keepalive
In the case where the main server to the long link detection of the end of the connection is alive transmitted after this time
**
net.ipv4.tcp_keepalive_time
**
The number of times the client whether to send a probe to survive
配合tcp_keepalive_time
**
tcp_keepalive_probes
**
Frequency probe message transmitted
Multiplied by the number of total time is used to determine whether the death
**
tcp_keepalive_intvl
**
The system can keep the number of simultaneous connections timewait
There will be a new TIME_WAIT state TIME_WAIT connections had reached tcp_max_tw_buckets when you have set.
Big time in the memory of course be appropriate to increase this value
**
net.ipv4.tcp_max_tw_buckets
**
The client has not yet received the maximum ack confirm the connection information
I.e. maximum semijoin
**
net.ipv4.tcp_max_syn_backlog
**
Each time the number of soft interrupt network packet processing
It will affect the number of soft interrupt?
**
net.core.netdev_budget
**
When the maximum speed of the respective interface receives packets faster than the core processing speed allows packet sequence
**
net.core.netdev_max_backlog
**
That means the server can accept the maximum number of data processing client, i.e., to complete the connection limit
**
net.core.somaxconn
**
Number of connections the server before giving up retransmission two handshakes syn + ack packet
**
net.ipv4.tcp_synack_retries
**
Give up the number of cores to allow the client sends a SYN packet before establishing a connection
The maximum timeout is used to define the client host sends the first handshake after syn been denied feedback
**
tcp_syn_retries
**
The system can have up to how many TCP sockets are not linked to any user file handle
Value exceeds the setting will be reset and a warning to prevent a simple DOS attack
**
net.ipv4.tcp_max_orphans