慎用 tcp_tw_{reuse,recycle} 内核参数
以前在我的blog里面写了解决TIME WAIT 连接过多的方法之一是设置tcp快速回收
但是最近经常爆出的一些bug表明,tcp_tw_recycle 开启的情况下,会对内网NAT出来的访问有一定影响,由于开启这个功能后,内核会认为同一个ip只会有一个timestamp生效,如果网关出来的timestamp不一样的话,服务器端就会drop掉这些tcp帧。
建议大家慎用tcp_tw_recycle 和 tcp_tw_reuse 这两个参数。具体原文如下:
We’ve recently had a long discussion about the CVE-2005-0356 time stamp denial-of-service
attack. It turned out that Linux is only vunerable to this problem when tcp_tw_recycle
is enabled (which it is not by default).
In general these two options are not really usable in today’s internet because they
make the (often false) assumption that a single IP address has a single TCP time stamp /
PAWS clock. This assumption breaks both NAT/masquerading and also opens Linux to denial
of service attacks (see the CVE description)
Due to these numerous problems I propose to remove this code for 2.6.26
Signed-off-by: Andi Kleen
Index: linux/Documentation/feature-removal-schedule.txt
===================================================================
— linux.orig/Documentation/feature-removal-schedule.txt
+++ linux/Documentation/feature-removal-schedule.txt
@@ -354,3 +354,15 @@ Why: The support code for the old firmwa
and slightly hurts runtime performance. Bugfixes for the old firmware
are not provided by Broadcom anymore.
Who: Michael Buesch
+
+—————————
+
+What: Support for /proc/sys/net/ipv4/tcp_tw_{reuse,recycle} = 1
+When: 2.6.26
+Why: Enabling either of those makes Linux TCP incompatible with masquerading and
+ also opens Linux to the CVE-2005-0356 denial of service attack. And these
+ optimizations are explicitely disallowed by some benchmarks. They also have
+ been disabled by default for more than ten years so they’re unlikely to be used
+ much. Due to these fatal flaws it doesn’t make sense to keep the code.
+Who: Andi Kleen
+
—