Mitigating SYN Floods and Tuning sysctl.conf for High Network Throughput
In a high-traffic environment on your Hovixa VPS, the default Linux networking stack can become a bottleneck or a security vulnerability. A SYN Flood is a common Denial of Service (DoS) attack that exploits the TCP three-way handshake by leaving connections in a "half-open" state, eventually exhausting the server's connection queue. By tuning sysctl.conf, we can implement SYN Cookies and optimize kernel parameters to maintain high throughput even under stress.
1. Understanding the TCP Three-Way Handshake
To mitigate attacks, you must understand the process: Client sends SYN, Server responds SYN-ACK, and Client should send ACK. During a flood, the attacker never sends the final ACK, filling the server's backlog queue.
2. Mitigating SYN Floods with SYN Cookies
The most effective defense is enabling TCP SYN Cookies. When the backlog queue fills up, the server stops using the queue and instead sends a "cookie" in the SYN-ACK sequence number. It only allocates resources if the client returns a valid ACK containing that cookie.
# Enable SYN Cookies to prevent SYN flood exhaustion
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
3. Tuning sysctl.conf for High Throughput
For applications handling thousands of concurrent connections (like a busy Nginx reverse proxy), increasing the buffer sizes and connection limits is essential to prevent packet drops and latency spikes.
| Parameter | Suggested Value | Technical Reason |
|---|---|---|
| `net.core.somaxconn` | `4096` | Increases the maximum number of queued connections. |
| `net.ipv4.tcp_rmem` | `4096 87380 16777216` | Tunes TCP receive buffers (min, default, max). |
| `net.ipv4.tcp_wmem` | `4096 65536 16777216` | Tunes TCP send buffers. |
| `net.ipv4.tcp_tw_reuse` | `1` | Allows reusing sockets in TIME_WAIT state for new connections. |
| `net.core.netdev_max_backlog` | `5000` | Increases the number of packets the kernel can buffer. |
4. Implementing Changes Permanently
To apply these settings to your Hovixa VPS, you must add them to the /etc/sysctl.conf file and reload the configuration.
# 1. Edit the configuration
sudo nano /etc/sysctl.conf
# 2. Add the parameters (e.g., net.ipv4.tcp_syncookies = 1)
# 3. Apply the changes immediately
sudo sysctl -p
5. Technical Implementation Details
- TCP Window Scaling: Ensure
net.ipv4.tcp_window_scaling = 1is enabled. This allows the TCP window to grow beyond 64KB, which is crucial for high-bandwidth networks over long distances. - Ephemeral Ports: If your server makes many outgoing connections (e.g., a proxy to many backends), you may run out of ports. Increase the range with:
net.ipv4.ip_local_port_range = 1024 65535. - ICMP Redirects: For better security, disable ICMP redirects to prevent an attacker from altering your server's routing table:
net.ipv4.conf.all.accept_redirects = 0.
Sysadmin Advice: Use **ss -ant | grep SYN-RECV | wc -l** to monitor how many half-open connections are currently hitting your server. If this number is consistently high, it’s a clear sign of an ongoing SYN flood or a severely misconfigured client.
