Sharing my little secret

Discussion in 'Community Organization' started by ImportPassion.com, Oct 31, 2004.

  1. ImportPassion.com

    ImportPassion.com CEO ImportPassion.com

    108
    106
    +0
    ok, I got this from someone and it brought my load down from the teens to 99% of the time under 2.

    Now, I have a dedicated Linux box running dual xeons and 2gb ram. If you don't have SSh access, you can pretty much forget about trying this.

    Make backups of anything and everything before trying this. I can't be held responsible for anything u mess up. proceed with caution.

    Open /etc/sysctl.conf and replace what is in there with this

    Code:
    # Kernel sysctl configuration file for Red Hat Linux
    
    # Controls IP packet forwarding
    net.ipv4.ip_forward = 0
    
    # Controls source route verification
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.lo.rp_filter = 1
    net.ipv4.conf.eth0.rp_filter = 1
    net.ipv4.conf.default.rp_filter = 1
    
    # Disables IP source routing
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.lo.accept_source_route = 0
    net.ipv4.conf.eth0.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0
    
    # Controls the System Request debugging functionality of the kernel
    kernel.sysrq = 0
    
    # Controls whether core dumps will append the PID to the core filename.
    # Useful for debugging multi-threaded applications.
    kernel.core_uses_pid = 1
    
    # Increase maximum amount of memory allocated to shm
    # kernel.shmmax = 1073741824
    
    # Disable ICMP Redirect Acceptance
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.lo.accept_redirects = 0
    net.ipv4.conf.eth0.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    
    # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
    net.ipv4.conf.all.log_martians = 1
    net.ipv4.conf.lo.log_martians = 1
    net.ipv4.conf.eth0.log_martians = 1
    
    # Decrease the time default value for tcp_fin_timeout connection
    net.ipv4.tcp_fin_timeout = 30
    
    # Decrease the time default value for tcp_keepalive_time connection
    net.ipv4.tcp_keepalive_time = 1800
    
    # Turn on the tcp_window_scaling
    net.ipv4.tcp_window_scaling = 1
    
    # Turn on the tcp_sack
    net.ipv4.tcp_sack = 1
    
    # tcp_fack should be on because of sack
    net.ipv4.tcp_fack = 1
    
    # Turn on the tcp_timestamps
    net.ipv4.tcp_timestamps = 1
    
    # Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1
    
    # Enable ignoring broadcasts request
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    
    # Enable bad error message Protection
    net.ipv4.icmp_ignore_bogus_error_responses = 1
    
    # Make more local ports available
    # net.ipv4.ip_local_port_range = 1024 65000
    
    # Set TCP Re-Ordering value in kernel to '5'
    net.ipv4.tcp_reordering = 5
    
    # Set SYN ACK retry attempts to '3'
    net.ipv4.tcp_synack_retries = 3
    
    # Various Settings
    net.core.netdev_max_backlog = 1024
    
    # Increase the maximum number of skb-heads to be cached
    net.core.hot_list_length = 256
    
    # Increase the tcp-time-wait buckets pool size
    net.ipv4.tcp_max_tw_buckets = 360000
    
    # This will increase the amount of memory available for socket input/output queues
    net.core.rmem_default = 65535
    net.core.rmem_max = 8388608
    net.ipv4.tcp_rmem = 4096 87380 8388608
    net.core.wmem_default = 65535
    net.core.wmem_max = 8388608
    net.ipv4.tcp_wmem = 4096 65535 8388608
    net.ipv4.tcp_mem = 8388608 8388608 8388608
    net.core.optmem_max = 40960
    
    After you make the changes to make them effective without rebooting, simply run the following commands:

    /sbin/sysctl -p
    /sbin/sysctl -w net.ipv4.route.flush=1

    Don't ask me what all this does, cause I really don't know. All I know it was my miracle cure for high loads.

    YMMV

    Would love to know if this works for others.

    Derek :dizzy:
     
  2. Nexopia

    Nexopia Enthusiast

    214
    0
    +1
    Which kernel are you running? "uname -a" should tell you. That config changes alot of the kernel network options.
     
  3. ImportPassion.com

    ImportPassion.com CEO ImportPassion.com

    108
    106
    +0
    Hre you go

    2.4.21-9.0.1.ELsmp
     
  4. Kentaurus

    Kentaurus Adherent

    359
    145
    +17
    Maybe checking what were your defaults before would be useful.. .from what I see...

    you are changing the memory used, that should be a nice optimization of memory vs. cpu
    also I see icmp redirects being disabled, besides echo request and echo response the rest of the icmp isn't really convenient so that would be a good idea, you might want to disable all the rest of the icmp also.

    I wouldn't do anything to my server without knowing exactly what I was doing :)
     
  5. Nexopia

    Nexopia Enthusiast

    214
    0
    +1
    ok, after checking alot of these values in a couple places
    http://www.netadmintools.com/html/7tcp.man.html
    http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html
    and a couple others off google, I ended up using

    Code:
    net.ipv4.ip_forward=0
    kernel.sysrq=0
    kernel.core_uses_pid=1
    kernel.shmmax = 134217728
    
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.lo.rp_filter = 1
    net.ipv4.conf.eth0.rp_filter = 1
    net.ipv4.conf.default.rp_filter = 1
    
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.lo.accept_source_route = 0
    net.ipv4.conf.eth0.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0
    
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.lo.accept_redirects = 0
    net.ipv4.conf.eth0.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    
    net.ipv4.tcp_fin_timeout = 20
    net.ipv4.tcp_keepalive_time = 1800
    net.ipv4.tcp_sack = 1
    net.ipv4.tcp_fack = 1
    net.ipv4.tcp_syncookies = 1
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    net.ipv4.icmp_ignore_bogus_error_responses = 1
    net.ipv4.ip_local_port_range = 16384 65536
    
    net.core.netdev_max_backlog = 512
    
    net.core.rmem_default = 65535
    net.core.rmem_max = 8388608
    net.ipv4.tcp_rmem = 4096 87380 8388608
    net.core.wmem_default = 65535
    net.core.wmem_max = 8388608
    net.ipv4.tcp_wmem = 4096 65535 8388608
    net.ipv4.tcp_mem = 8388608 8388608 8388608
    net.core.optmem_max = 40960
    
    I found some other settings recommending different values for the memory usages, some as high as 25mb (this sets it to ~8), and heard of some troubles with them. This seems like a fairly good compromise.

    I was hit with a huge (650mbit) DDoS last weekend, and obviously didn't survive, but I've been under a 5mbit syn flood for the past few days. Enabling syncookies instantly dropped the load averages. Despite still being under attack, the site is as responsive as ever.
     
  6. DChapman

    DChapman Devotee

    2,878
    730
    +13
    650mbit? Good grief. How were you able to have that measured? It must have saturated your hosts backbone.

    I've (knock on wood) only been hit with one bad DDoS so far. We were null routed for awhile because of that one.
     
  7. Nexopia

    Nexopia Enthusiast

    214
    0
    +1
    My host is sagonet. They have somewhere in the range of 10gbit worth of connections. They certainly weren't impressed with the attack, as it represented a large portion of their connection. They null routed my ip for 24h each time (I was hit twice).
     
Verification:
Draft saved Draft deleted