Linu performance tuning: how can we alleviate the situation in the face of DDoS attacks?

1、 Look at the phenomenon , For example, access connection timeout

# --connect-timeout Indicates the connection timeout 
# -w  Set the output format after completion 
$ curl -w 'Http code: %{http_code}\nTotal time:%{time_total}s\n' -o /dev/null --connect-timeout 10 http://192.168.0.30
...
Http code: 000
Total time:10.001s
curl: (28) Connection timed out after 10000 milliseconds

2、 Check the network

# -n  Network statistics  
# DEV  network card   1（ Represents the first network card ）
$ sar -n DEV 1
08:55:49        IFACE   rxpck/s   txpck/s    rxkB/s    txkB/s   rxcmp/s   txcmp/s  rxmcst/s   %ifutil
08:55:50      docker0      0.00      0.00      0.00      0.00      0.00      0.00      0.00      0.00
08:55:50         eth0  22274.00    629.00   1174.64     37.78      0.00      0.00      0.00      0.02
08:55:50           lo      0.00      0.00      0.00      0.00      0.00      0.00      0.00      0.00

3、 utilize tcpdump Grab the bag

# -i eth0  Just grab eth0 network card ,-n Do not resolve protocol name and host name 
# tcp port 80 Just grab tcp Protocol and port number is 80 Network frame of 
$ tcpdump -i eth0 -n tcp port 80
09:15:48.287047 IP 192.168.0.2.27095 > 192.168.0.30: Flags [S], seq 1288268370, win 512, length 0
09:15:48.287050 IP 192.168.0.2.27131 > 192.168.0.30: Flags [S], seq 2084255254, win 512, length 0
09:15:48.287052 IP 192.168.0.2.27116 > 192.168.0.30: Flags [S], seq 677393791, win 512, length 0
09:15:48.287055 IP 192.168.0.2.27141 > 192.168.0.30: Flags [S], seq 1276451587, win 512, length 0
09:15:48.287068 IP 192.168.0.2.27154 > 192.168.0.30: Flags [S], seq 1851495339, win 512, length 0
...

3、 utilize netstat see TCP Connection status

# -n Does not resolve the name ,-p Shows the process that the connection belongs to 
$ netstat -n -p | grep SYN_REC
tcp        0      0 192.168.0.30:80          192.168.0.2:12503      SYN_RECV    -
tcp        0      0 192.168.0.30:80          192.168.0.2:13502      SYN_RECV    -
tcp        0      0 192.168.0.30:80          192.168.0.2:15256      SYN_RECV    -
tcp        0      0 192.168.0.30:80          192.168.0.2:18117      SYN_RECV    -
...

4、 Statistics TCP Number of connections

$ netstat -n -p | grep SYN_REC | wc -l
193

5、 After finding the source of the attack , Use firewall policy , Kill it （ Mitigation approach 1 ）

$ iptables -I INPUT -s 192.168.0.2 -p tcp -j REJECT

6、 Limit TCP send out SYN The rate of packets （ Mitigation approach 2 ）

#  Limit syn Concurrency is per second 1 Time 
$ iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

#  Limit individual IP stay 60 The number of new connections created per second is 10
$ iptables -I INPUT -p tcp --dport 80 --syn -m recent --name SYN_FLOOD --update --seconds 60 --hitcount 10 -j REJECT

7、 Because the target host has been unable to receive from the source host TCP Confirmation package , Cause timeout , Therefore, it is necessary to increase the number of semi open connections , The placing terminal cannot connect to the host , The default is 256（ Mitigation approach 3 ）

$ sysctl -w net.ipv4.tcp_max_syn_backlog=1024
net.ipv4.tcp_max_syn_backlog = 1024

8、 Because the target host cannot wait for the source host ACK Confirmation package , Cause timeout , But the kernel will also automatically retry the connection , The default number of retries is 5 Time , Optimize to 1 Time .（ Mitigation approach 4 ）

$ sysctl -w net.ipv4.tcp_synack_retries=1
net.ipv4.tcp_synack_retries = 1

9、TCP SYN Cookies It's also a special defense SYN Flood The way to attack , Turn on SYN Cookies after , There is no need to maintain the semi open connection state , Then there is no limit on the number of semi connections . Be careful , Turn on TCP syncookies, kernel net.ipv4.tcp_max_syn-backlog It doesn't work .（ Mitigation approach 5 ）

        9.1 Temporarily open

$ sysctl -w net.ipv4.tcp_syncookies=1
net.ipv4.tcp_syncookies = 1

        9.2  To ensure configuration persistence , You should also configure these , write in /etc/sysctl.conf In file , perform sysctl -p After the command , Will take effect dynamically .

$ cat /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_max_syn_backlog = 1024