Linux 如何停止 SYN_SENT?

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/11729517/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-06 13:58:15  来源:igfitidea点击:

How to stop SYN_SENT?

linuxdedicated-server

提问by EGN

Running netstatis showing hundreds of this line, even after rebooting the server — it starts sending again, causing many connections to that IP.

netstat即使在重新启动服务器之后,运行也会显示数百条此行——它再次开始发送,导致与该 IP 的许多连接。

tcp        0      1 server1700.skdedicate:36283 154.45.206.59:https   SYN_SENT
tcp        0      1 server1700.skdedicate:36283 154.45.206.59:https   SYN_SENT
tcp        0      1 server1700.skdedicate:36283 154.45.206.59:https   SYN_SENT
tcp        0      1 server1700.skdedicate:36283 154.45.206.59:https   SYN_SENT
tcp        0      1 server1700.skdedicate:36283 154.45.206.59:https   SYN_SENT

I stopped all scripts, but it still keeps trying.

我停止了所有脚本,但它仍在继续尝试。

I know this means the IP is not responding to SYN_SENTbut how can I stop those SYN_SENT? Or what is the best solution to this?

我知道这意味着 IP 没有响应,SYN_SENT但我该如何阻止这些SYN_SENT?或者对此的最佳解决方案是什么?

Thanks.

谢谢。

采纳答案by EGN

This question seems to be getting many views but yet no answer, so I decided to answer my own question for anyone looking for a solution.

这个问题似乎得到了很多观点,但还没有答案,所以我决定为任何寻求解决方案的人回答我自己的问题。

First thing first, knowing the reason is half of the solution. I was under what is called SYN Flooding Attack which uses HTTP protocol behavior against itself

首先,知道原因是解决方案的一半。我受到所谓的 SYN Flooding Attack 攻击,它使用 HTTP 协议行为针对自身

The short of it is, remote client tries to establish a connection with your server by sending SYN, your server replies with SYN_ACK (in your logs you will see SYN_SENT) and will wait until it receives ACK. If ACK is not received within xx seconds, your server will send SYN_ACK again, .... and again.... and again. It will eventually reach the configured threshold and stop accepting any more SYN request making your server unresponsive. One of the symptoms which happened to me was that my website was responding once like nothing is wrong but not responding in the next xx times.

简而言之,远程客户端尝试通过发送 SYN 与您的服务器建立连接,您的服务器回复 SYN_ACK(在您的日志中,您将看到 SYN_SENT)并等待它收到 ACK。如果在 xx 秒内没有收到 ACK,您的服务器将再次发送 SYN_ACK,......一次又一次......一次又一次。它最终将达到配置的阈值并停止接受任何更多 SYN 请求,从而使您的服务器无响应。发生在我身上的症状之一是,我的网站曾经响应过一次,好像没有任何问题,但在接下来的 xx 次中没有响应。

HTTP Protocol SYN

HTTP 协议 SYN

The solution that worked for me was enabling SYN cookies, SSH into your server, open the following file using your favorite editor. I'm using vi in this example

对我有用的解决方案是启用 SYN cookie、SSH 到您的服务器,使用您喜欢的编辑器打开以下文件。我在这个例子中使用 vi

vi /etc/sysctl.conf

And add these lines to the file, then restart your server. Hopefully this will stop the attack as it did for me

并将这些行添加到文件中,然后重新启动服务器。希望这会像对我一样停止攻击

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3

I was using CentOS, I think the above solution will work on all distributions but in case it didn't search for "How to stop SYN Flooding Attack" for your linux distribution

我使用的是 CentOS,我认为上述解决方案适用于所有发行版,但如果它没有为您的 Linux 发行版搜索“如何停止 SYN Flooding 攻击”

On a side note, blocking the IPs initiating the SYN requests will probably not help because most likely the attacker has spoofed the IPs

附带说明一下,阻止发起 SYN 请求的 IP 可能无济于事,因为攻击者很可能已经欺骗了 IP