Login Start for free
Login Start for free
Blog / Linux/ Linux TCP Kernel Parameters: tcp_tw_reuse, tcp_tw_recycle, tcp_syncookies Explained

Linux TCP Kernel Parameters: tcp_tw_reuse, tcp_tw_recycle, tcp_syncookies Explained

2018-03-29 · Ryan · Post Comment
linux tcp_tw_reuse/tcp_tw_recycle/tcp_syncookies 要不要开启?怎么设置?

Linux TCP Kernel Parameters: Explanation and Configuration Guidance

The following are system-level TCP kernel parameters. They generally work well with default values and should only be adjusted in specific scenarios (e.g., high-concurrency servers, NAT gateways, or under specific attacks) based on actual needs.

Connection Establishment and Retry

tcp_syn_retries (INTEGER)
Default: 5
Description: The number of SYN retransmits sent for an actively opened connection before the kernel gives up. Should not exceed 255. The default of 5 corresponds to roughly 180 seconds. For high-load servers on reliable networks, consider reducing to 2 to detect connection failures faster.

tcp_synack_retries (INTEGER)
Default: 5
Description: The number of SYN+ACK retransmits sent for a passively opened connection before the kernel gives up. Should not exceed 255. Adjust similarly to tcp_syn_retries.

tcp_max_syn_backlog (INTEGER)
Default: 1024 (for systems with >128MB RAM)
Description: Maximum length of the SYN queue (connections in SYN_RECV state). Increase if the server is often overloaded or under SYN Flood attack. Note: If set above 1024, you may need to adjust the TCP_SYNQ_HSIZE macro in the kernel source.

Keepalive and Timeout

tcp_keepalive_time (INTEGER)
Default: 7200 (2 hours)
Description: The time a connection must be idle before TCP sends the first keepalive probe (when SO_KEEPALIVE is enabled). Often reduced to 1800 (30 minutes) or less on NAT or web servers to mitigate idle connection attacks.

tcp_keepalive_intvl (INTEGER)
Default: 75
Description: The interval between keepalive probes.

tcp_keepalive_probes (INTEGER)
Default: 9
Description: The maximum number of keepalive probes sent before declaring the connection dead. Total detection time is roughly tcp_keepalive_time + tcp_keepalive_intvl * tcp_keepalive_probes.

tcp_fin_timeout (INTEGER)
Default: 60
Description: The time a socket can remain in the FIN-WAIT-2 state after the local end initiates a close. Reducing this (e.g., to 30) can free resources faster on high-concurrency servers, but may affect connections on high-latency networks.

TIME-WAIT State

tcp_tw_reuse (BOOLEAN)
Default: 0
Description: Allows reusing sockets in TIME-WAIT state for new outgoing TCP connections. Can help services that need to restart quickly and bind to the same port (avoiding "Address already in use").

tcp_tw_recycle (BOOLEAN)
Default: 0
Description: Enables fast recycling of TIME-WAIT sockets. This parameter was removed in modern Linux kernels (4.12+). It was historically considered beneficial for NAT but its timestamp-based mechanism can cause issues for clients behind NAT. Strongly recommended to keep disabled.

tcp_max_tw_buckets (INTEGER)
Default: 180000
Description: Maximum number of TIME-WAIT sockets allowed system-wide. When exceeded, new TIME-WAIT sockets are destroyed immediately. Primarily a simple DoS protection; do not lower arbitrarily. Increase if necessary on NAT gateways or proxy servers with genuinely high TIME-WAIT counts.

Congestion Control and Performance

tcp_sack (BOOLEAN)
Default: 1
Description: Enables Selective Acknowledgment (SACK), improving recovery from multiple packet losses and increasing throughput, with a slight CPU cost. Recommended for WAN environments.

tcp_timestamps (BOOLEAN)
Default: 1
Description: Enables TCP timestamps, crucial for accurate RTT measurement, Protection Against Wrapped Sequence numbers (PAWS), and sequence number wrapping protection. Keep enabled unless facing compatibility issues in heterogeneous networks. Note: tcp_tw_recycle depends on this option.

tcp_window_scaling (BOOLEAN)
Default: 1
Description: Enables TCP window scaling, allowing window sizes >65535 bytes. Essential for high-speed networks (Gigabit/10GbE). May be disabled in low-speed/LAN to reduce overhead, but generally keep enabled.

Buffer Sizes

tcp_wmem (3 INTEGERS: min, default, max)
Default: 4096 16384 4194304 (or 131072, depending on kernel)
Description: Memory reserved for TCP socket send buffers (bytes). The max value does not affect the global net.core.wmem_max. Increase for high-throughput servers, e.g., 4096 16384 4194304.

tcp_rmem (3 INTEGERS: min, default, max)
Default: 4096 87380 4194304 (or 6291456, depending on kernel)
Description: Memory reserved for TCP socket receive buffers (bytes). The max value is often recommended to be twice the default or larger for high Bandwidth-Delay Product (BDP) networks.

tcp_mem (3 INTEGERS: low, pressure, high)
Description: Controls overall TCP memory usage (in pages). Usually auto-calculated; adjust manually only in special cases.

Security and DoS Protection

tcp_syncookies (BOOLEAN)
Default: 1 (enabled in most modern distros)
Description: Enables SYN cookies to mitigate SYN Flood attacks when the SYN queue overflows. For high-load servers not under attack, prioritize tuning parameters like tcp_max_syn_backlog for performance, as syncookies violate TCP protocol and can affect features like window scaling. Enable temporarily only when a SYN Flood is detected.

tcp_abort_on_overflow (BOOLEAN)
Default: 0
Description: Whether to send an RST and abort the connection when the accept queue overflows. Setting to 1 allows clients to fail fast, giving the server room to process the backlog, but may cause legitimate connections to be rejected. Enable with caution.

tcp_max_orphans (INTEGER)
Default: 8192
Description: Maximum number of orphaned TCP sockets (not attached to any user file handle). When exceeded, new orphans are reset. Primarily a DoS protection; do not rely on or lower arbitrarily.

Common Configuration Examples

Temporary Hardening Against SYN Flood

# Enable SYN Cookie (temporary)
sysctl -w net.ipv4.tcp_syncookies=1
# Increase SYN queue
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
# Reduce SYN+ACK retries
sysctl -w net.ipv4.tcp_synack_retries=2
# Reduce active SYN retries
sysctl -w net.ipv4.tcp_syn_retries=2

High-Concurrency Server Tuning (Test with your application)

# Allow TIME-WAIT reuse (outgoing only)
sysctl -w net.ipv4.tcp_tw_reuse=1
# Tune keepalive to release dead connections faster
sysctl -w net.ipv4.tcp_keepalive_time=600
sysctl -w net.ipv4.tcp_keepalive_intvl=30
sysctl -w net.ipv4.tcp_keepalive_probes=3
# Shorten FIN-WAIT-2 timeout
sysctl -w net.ipv4.tcp_fin_timeout=30
# Increase local port range
sysctl -w net.ipv4.ip_local_port_range='1024 65535'
# Adjust buffer sizes (tune for memory/network)
sysctl -w net.ipv4.tcp_rmem='4096 87380 6291456'
sysctl -w net.ipv4.tcp_wmem='4096 16384 4194304'

Important Notes:

  • Changes can be applied temporarily with sysctl -w parameter=value, or permanently by adding to /etc/sysctl.conf and running sysctl -p.
  • Understand each parameter before adjusting and test in a staging environment.
  • The tcp_tw_recycle parameter is deprecated and harmful in modern kernels; do not enable it.
  • There is no silver bullet for performance tuning. Adjust based on monitoring data (e.g., ss -s, netstat -s) and application characteristics.

Post a Comment

Your email will not be published. Required fields are marked with *.