※ 以下ã€ãƒ•ã‚£ã‚¯ã‚·ãƒ§ãƒ³ã§ã™ã€‚
ã¯ã˜ã‚ã«ï¼š ã“ã‚“ãªã‚µãƒ¼ãƒ(↓dstat)
(è£ãƒãƒƒãƒã«ã‚ˆã‚Šiowaitã¨LAãŒé«˜ã„ã®ã¯ä¸€æ™‚çš„ãªä»•æ§˜ã¨ã™ã‚‹)
気付ã‘ã°ãƒã‚°ã«ãƒ»ãƒ»ãƒ»
Mar 29 18:08:02 hostname kernel: printk: 48843 messages suppressed. Mar 29 18:08:02 hostname kernel: TCP: time wait bucket table overflow Mar 29 18:08:07 hostname kernel: printk: 54962 messages suppressed. Mar 29 18:08:07 hostname kernel: TCP: time wait bucket table overflow Mar 29 18:08:12 hostname kernel: printk: 64843 messages suppressed. Mar 29 18:08:12 hostname kernel: TCP: time wait bucket table overflow
ワッショイヽ(゚∀゚)メ(゚∀゚)メ(゚∀゚)ノワッショイ
接続状æ³ã¯ãƒ»ãƒ»ãƒ»å¤§é‡ã®TIME_WAITãŒã£
# netstat -tan | grep ':80 ' | awk '{print $6}' | sort | uniq -c
5 ESTABLISHED
11 FIN_WAIT1
1 FIN_WAIT2
1 LISTEN
3 SYN_RECV
149324 TIME_WAITワッショイヽ(゚∀゚)メ(゚∀゚)メ(゚∀゚)ノワッショイ
ãŠå¾…ã¡ã«ãªã‚‰ã‚Œã¦ãŠã‚Šã¾ã™ãƒ»ãƒ»ãƒ»
# netstat -ton tcp 0 0 ::ffff:172.xx.xx.xx:80 ::ffff:xx.xx.xx.aa:54648 TIME_WAIT timewait (27.05/0/0) tcp 0 0 ::ffff:172.xx.xx.xx:80 ::ffff:xx.xx.xx.bb:54720 TIME_WAIT timewait (7.67/0/0) tcp 0 0 ::ffff:172.xx.xx.xx:80 ::ffff:xx.xx.xx.cc:55908 TIME_WAIT timewait (52.52/0/0) tcp 0 0 ::ffff:172.xx.xx.xx:80 ::ffff:xx.xx.xx.dd:55918 TIME_WAIT timewait (44.23/0/0) tcp 0 0 ::ffff:172.xx.xx.xx:80 ::ffff:xx.xx.xx.ee:55906 TIME_WAIT timewait (30.47/0/0) tcp 0 0 ::ffff:172.xx.xx.xx:80 ::ffff:xx.xx.xx.ff:55842 TIME_WAIT timewait (24.80/0/0) tcp 0 0 ::ffff:172.xx.xx.xx:80 ::ffff:xx.xx.xx.gg:55910 TIME_WAIT timewait (15.51/0/0) tcp 0 0 ::ffff:172.xx.xx.xx:80 ::ffff:xx.xx.xx.hh:56164 TIME_WAIT timewait (53.01/0/0) tcp 0 0 ::ffff:172.xx.xx.xx:80 ::ffff:xx.xx.xx.ii:56162 TIME_WAIT timewait (30.65/0/0) tcp 0 0 ::ffff:172.xx.xx.xx:80 ::ffff:xx.xx.xx.jj:56166 TIME_WAIT timewait (15.65/0/0) ・・・・・以下10万行余りçœç•¥ï½—・・・・・
アワワ ヽ(´Д`;≡;´Д`)丿 アワワ
net.ipv4.tcp_max_tw_buckets
tcp_max_tw_buckets (integer; default: 下記å‚ç…§; Linux 2.4 以é™)
Man page of TCP
システムãŒè¨±å®¹ã™ã‚‹ TIME_WAIT 状態ã«ã‚るソケットã®æœ€å¤§æ•°ã€‚ã“ã®åˆ¶é™ãŒå˜åœ¨ã™ã‚‹ã®ã¯ã€å˜ç´”ãªä½¿ç”¨ä¸èƒ½ (denial-of-service) 攻撃を防ããŸã‚ã«éŽãŽãªã„。デフォルト値㯠NR_FILE*2 ã§ã€ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ¡ãƒ¢ãƒªã«å¿œã˜ã¦èª¿æ•´ã•ã‚Œã‚‹ã€‚ã“ã®æ•°å€¤ã‚’越ãˆã‚‹ã¨ã€ãã®ã‚ˆã†ãªã‚½ã‚±ãƒƒãƒˆã¯ã‚¯ãƒãƒ¼ã‚ºã•ã‚Œã€è¦å‘ŠãŒè¡¨ç¤ºã•ã‚Œã‚‹ã€‚
"tcp_max_tw_buckets"ã®å€¤ã‚’ã€ã¡ã‚‡ã£ã¨ãšã¤å¢—ã‚„ã—ã¦ã¿ãŸã‘ã©ãƒ»ãƒ»ãƒ»å¤‰ã‚らãªã„ï¼
ヾノ・∀・`)ムリムリ ヾノ'д'o)?? ム───(乂Д´)───リ!!
net.ipv4.tcp_tw_reuse
tcp_tw_reuse (Boolean; default: disabled; Linux 2.4.19/2.6 以é™)
Man page of TCP
プãƒãƒˆã‚³ãƒ«ã®é¢ã‹ã‚‰è¦‹ã¦å•é¡Œãªã„å ´åˆã«æ–°è¦ã‚³ãƒã‚¯ã‚·ãƒ§ãƒ³ã« TIME_WAIT 状態ã®ã‚½ã‚±ãƒƒãƒˆã‚’å†åˆ©ç”¨ã™ã‚‹ã“ã¨ã‚’許å¯ã™ã‚‹ã€‚技術的ã«è©³ã—ã„人ã®åŠ©è¨€ã‚„è¦è«‹ãªã—ã«ã“ã®ã‚ªãƒ—ションを変更ã™ã¹ãã§ã¯ãªã„。
有効ã«ã—ã¦ã¿ãŸã€‚
# netstat -tan | grep ':80 ' | awk '{print $6}' | sort | uniq -c
2 ESTABLISHED
12 FIN_WAIT1
2 FIN_WAIT2
1 LISTEN
3 SYN_RECV
153076 TIME_WAITアワワ ヽ(´Д`;≡;´Д`)丿 アワワ
net.ipv4.tcp_tw_recycle
tcp_tw_recycle (Boolean; default: disabled; Linux 2.4 以é™)
Man page of TCP
TIME_WAIT ソケットã®ç´ æ—©ã„å†åˆ©ç”¨ã‚’有効ã«ã™ã‚‹ã€‚ã“ã®ã‚ªãƒ—ションを有効ã«ã™ã‚‹ã¨ã€ NAT (ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚¢ãƒ‰ãƒ¬ã‚¹å¤‰æ›) を用ã„ã¦ã„ã‚‹ã¨å•é¡ŒãŒç”Ÿã˜ã‚‹ã®ã§ã€ã‚ã¾ã‚ŠæŽ¨å¥¨ã—ãªã„。
今回ã¯ãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰(internal)ã®è©±ã§ã€ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã€œã‚µãƒ¼ãƒé–“ã§ã€NATを挟んã§ã„ã‚‹ã¨ã“ã‚ã¯ç„¡ã‹ã£ãŸã®ã§æœ‰åŠ¹ã«ã—ã¦ã¿ãŸã€‚
# netstat -tan | grep ':80 ' | awk '{print $6}' | sort | uniq -c
9 ESTABLISHED
14 FIN_WAIT1
1 FIN_WAIT2
1 LISTEN
5 SYN_RECV
22 TIME_WAIT( ̄ー+ ̄). ( ̄∇+ï¿£)vï½·ï¾—ï½°ï¾
ãŠã‚ã‚Šã«
本当ã¯ã€TIME_WAIT自体ã®ã‚¿ã‚¤ãƒ アウトを60sã‹ã‚‰çŸãã—ãŸã‹ã£ãŸãŒã€kernelã®rebuildãŒã—è¾›ã„状æ³ã§...ã‚ã¨ã€
実ã¯ã€HTTP接続ãªã®ã§ã€ãã¡ã‚“ã¨Keep-Aliveを使ãˆã‚‹çŠ¶æ…‹ã«ã™ã¹ã—。(ã¾ã¨ã¾ã£ã¦ãªã„)
=͟͟͞͞(๑•̀=͟͟͞͞(๑•̀д•́=͟͟͞͞(๑•̀д•́๑)=͟͟͞͞(๑•̀д•́
ãŠã¾ã‘
説明
TCPソケットã®TIME_WAIT状態を管ç†ã™ã‚‹ãŸã‚ã«ä½¿ç”¨ã™ã‚‹ã‚¹ãƒ©ãƒ–ã‚ャッシュã®ã‚µã‚¤ã‚ºãŒæœ€å¤§å€¤(tcp_max_tw_buckets)ã«é”ã—ãŸã€‚
tcp_max_buckets ã¯ãƒ¦ãƒ¼ã‚¶ãƒ¼ãŒè¨å®šã™ã‚‹ã“ã¨ãŒã§ãã€ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆå€¤ã¯ 16384 ã§ã‚る。
ç¾åœ¨ã®å€¤ã‚’確èªã™ã‚‹ã«ã¯ã€ä»¥ä¸‹ã®2ã¤ã®æ–¹æ³•ã®ã„ãšã‚Œã‹ã‚’利用ã™ã‚Œã°ã‚ˆã„。
1. # cat /proc/sys/net/ipv4/tcp_max_tw_buckets 2. # sysctl net.ipv4.tcp_max_tw_bucketshttp://ossmpedia.org/messages/linux/2.6.9-34.EL/29972.ja対処
tcp_max_tw_buckets をシステム㮠TCP ソケット利用状æ³ã«åˆã‚ã›ã¦æ‹¡å¼µã™ã‚‹ã€‚
ã“ã®åˆ¶é™ã¯ã€DOS攻撃ã«å¯¾å‡¦ã™ã‚‹ãŸã‚ã ã‘ã«è¨ã‘られã¦ã„ã‚‹ã‚‚ã®ã§ã€ã“ã®å€¤ã‚’大ããã™ã‚‹ã“ã¨ã§ã€ãƒ¡ãƒ¢ãƒªãƒªã‚½ãƒ¼ã‚¹ãªã©ã‚’ç„¡é—‡ã«æ¶ˆè²»ã™ã‚‹ã“ã¨ã¯ãªã„。
tcp_max_tw_buckets ã®è¨å®šæ–¹æ³•ã¯ä»¥ä¸‹ã®2ã¤ãŒã‚る。
1. # echo <スラブã‚ャッシュサイズ> > /proc/sys/net/ipv4/tcp_max_tw_buckets 2. # sysctl -w net.ipv4.tcp_max_tw_buckets=<スラブã‚ャッシュサイズ>
å‚考
- Man page of TCP
- http://www.redbooks.ibm.com/redpapers/pdfs/redp3861.pdf
- Tuning Red Hat Enterprise Linux on IBM Eserver xSeries Servers
- どさにっき
- いっぱい接続したいの - (ひ)メモ
- TCP/IP通信の状態を調べる「netstat」コマンドを使いこなす (1/2):Tech TIPS - @IT
詳解TCP/IP〈Vol.1〉プãƒãƒˆã‚³ãƒ«
- 作者: W.リãƒãƒ£ãƒ¼ãƒ‰ã‚¹ãƒ†ã‚£ãƒ¼ãƒ´ãƒ³ã‚¹,W.Richard Stevens,橘康雄,井上尚å¸
- 出版社/メーカー: ピアソンエデュケーション
- 発売日: 2000/12
- メディア: å˜è¡Œæœ¬
- 購入: 6人 クリック: 81回
- ã“ã®å•†å“ã‚’å«ã‚€ãƒ–ãƒã‚° (41件) を見る
