声明:本文转载自https://my.oschina.net/superwjc/blog/1819254,转载目的在于传递更多信息,仅供学习交流之用。如有侵权行为,请联系我,我会及时删除。
github项目地址:https://github.com/superwujc
尊重原创,欢迎转载,注明出处:https://my.oschina.net/superwjc/blog/1819254
TCP的连接建立过程通常称为三次握手(three-way handshake),即客户端与服务端彼此交换用于建立连接的初始SYN segment与ACK。
连接建立过程中,任一端出现接收不到对端ACK时都将导致初始SYN segment重传,Linux内核为该情况设置了重传间隔与重传次数:
操作系统:CentOS Linux release 7.5.1804 (Core)
内核版本:3.10.0-862.2.3.el7.x86_64
服务端IP:22.99.22.111
客户端IP:22.99.22.101
示例程序详见 Linux TCP那些事儿之被动套接字(一)
服务端启动程序:
# ./tcp_server -b 1024 &客户端启动程序:
# ./tcp_client -i 22.99.22.111 -p 8888 -n 1 &服务端与客户端分别启动tcpdump观察连接情况:
# tcpdump -i eth0 -nn -S host 22.99.22.111 and host 22.99.22.101 and tcp服务端与客户端的tcpdump输出:
21:40:49.989951 IP 22.99.22.101.38118 > 22.99.22.111.8888: Flags [S], seq 231965702, win 29200, options [mss 1460,sackOK,TS val 11012209 ecr 0,nop,wscale 7], length 0 21:40:49.989998 IP 22.99.22.111.8888 > 22.99.22.101.38118: Flags [S.], seq 513997240, ack 231965703, win 28960, options [mss 1460,sackOK,TS val 14396437 ecr 11012209,nop,wscale 7], length 0 21:40:49.990223 IP 22.99.22.101.38118 > 22.99.22.111.8888: Flags [.], ack 513997241, win 229, options [nop,nop,TS val 11012210 ecr 14396437], length 021:40:49.991145 IP 22.99.22.101.38118 > 22.99.22.111.8888: Flags [S], seq 231965702, win 29200, options [mss 1460,sackOK,TS val 11012209 ecr 0,nop,wscale 7], length 0 21:40:49.991499 IP 22.99.22.111.8888 > 22.99.22.101.38118: Flags [S.], seq 513997240, ack 231965703, win 28960, options [mss 1460,sackOK,TS val 14396437 ecr 11012209,nop,wscale 7], length 0 21:40:49.991541 IP 22.99.22.101.38118 > 22.99.22.111.8888: Flags [.], ack 513997241, win 229, options [nop,nop,TS val 11012210 ecr 14396437], length 0查看连接状态,两端均显示连接已建立
# ss -atn | grep 8888 LISTEN 1 128 *:8888 *:* ESTAB 0 0 22.99.22.111:8888 22.99.22.101:38118# ss -atn | grep 8888 ESTAB 0 0 22.99.22.101:38118 22.99.22.111:8888在服务端添加防火墙规则,丢弃向客户端发送的syn+ack
# iptables -I OUTPUT -p tcp --destination 22.99.22.101 --tcp-flags ALL ACK,SYN -j DROP # # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere 22.99.22.101 tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK客户端设置重传次数,默认为6,修改为4
# cat /proc/sys/net/ipv4/tcp_syn_retries 6 # echo 4 > /proc/sys/net/ipv4/tcp_syn_retries # cat /proc/sys/net/ipv4/tcp_syn_retries 4再次启动服务端与客户端程序,两端的tcpdump输出均显示客户端发生了4次初始SYN的重传,每次间隔分别为1s/2s/4s/8s,总间隔为15s
21:49:29.425637 IP 22.99.22.101.38120 > 22.99.22.111.8888: Flags [S], seq 1034503734, win 29200, options [mss 1460,sackOK,TS val 11531645 ecr 0,nop,wscale 7], length 0 21:49:30.428747 IP 22.99.22.101.38120 > 22.99.22.111.8888: Flags [S], seq 1034503734, win 29200, options [mss 1460,sackOK,TS val 11532648 ecr 0,nop,wscale 7], length 0 21:49:32.433200 IP 22.99.22.101.38120 > 22.99.22.111.8888: Flags [S], seq 1034503734, win 29200, options [mss 1460,sackOK,TS val 11534652 ecr 0,nop,wscale 7], length 0 21:49:36.437044 IP 22.99.22.101.38120 > 22.99.22.111.8888: Flags [S], seq 1034503734, win 29200, options [mss 1460,sackOK,TS val 11538656 ecr 0,nop,wscale 7], length 0 21:49:44.454342 IP 22.99.22.101.38120 > 22.99.22.111.8888: Flags [S], seq 1034503734, win 29200, options [mss 1460,sackOK,TS val 11546673 ecr 0,nop,wscale 7], length 021:49:29.426515 IP 22.99.22.101.38120 > 22.99.22.111.8888: Flags [S], seq 1034503734, win 29200, options [mss 1460,sackOK,TS val 11531645 ecr 0,nop,wscale 7], length 0 21:49:30.429581 IP 22.99.22.101.38120 > 22.99.22.111.8888: Flags [S], seq 1034503734, win 29200, options [mss 1460,sackOK,TS val 11532648 ecr 0,nop,wscale 7], length 0 21:49:32.434015 IP 22.99.22.101.38120 > 22.99.22.111.8888: Flags [S], seq 1034503734, win 29200, options [mss 1460,sackOK,TS val 11534652 ecr 0,nop,wscale 7], length 0 21:49:36.437559 IP 22.99.22.101.38120 > 22.99.22.111.8888: Flags [S], seq 1034503734, win 29200, options [mss 1460,sackOK,TS val 11538656 ecr 0,nop,wscale 7], length 0 21:49:44.454826 IP 22.99.22.101.38120 > 22.99.22.111.8888: Flags [S], seq 1034503734, win 29200, options [mss 1460,sackOK,TS val 11546673 ecr 0,nop,wscale 7], length 0查看连接状态,服务端的syn+ack由于被自身drop而一直处于LISTEN状态,客户端在重传期间处于SYN-SENT状态,且超过重传次数后因连接超时而返回
# ss -atn | grep 8888 LISTEN 0 128 *:8888 *:*# ss -atn | grep 8888 SYN-SENT 0 1 22.99.22.101:38120 22.99.22.111:8888 # connect() failed: Connection timed out在客户端添加防火墙规则,丢弃向服务端发送的ack
# iptables -I OUTPUT -p tcp --destination 22.99.22.111 --dport 8888 --tcp-flags ALL ACK -j DROP # # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere 22.99.22.111 tcp dpt:ddi-tcp-1 flags:FIN,SYN,RST,PSH,ACK,URG/ACK客户端设置重传次数,默认为5,修改为3
# sysctl net.ipv4.tcp_synack_retries net.ipv4.tcp_synack_retries = 5 # [root@localhost code]# sysctl -w net.ipv4.tcp_synack_retries=3 net.ipv4.tcp_synack_retries = 3 # # sysctl net.ipv4.tcp_synack_retries net.ipv4.tcp_synack_retries = 3再次启动服务端与客户端程序,两端的tcpdump输出均显示服务端发生了3次初始SYN的重传,每次间隔分别为1s/2s/4s,总间隔为7s
22:03:56.982987 IP 22.99.22.101.38122 > 22.99.22.111.8888: Flags [S], seq 985103784, win 29200, options [mss 1460,sackOK,TS val 12399201 ecr 0,nop,wscale 7], length 0 22:03:56.983034 IP 22.99.22.111.8888 > 22.99.22.101.38122: Flags [S.], seq 703914964, ack 985103785, win 28960, options [mss 1460,sackOK,TS val 15783430 ecr 12399201,nop,wscale 7], length 0 22:03:57.985014 IP 22.99.22.111.8888 > 22.99.22.101.38122: Flags [S.], seq 703914964, ack 985103785, win 28960, options [mss 1460,sackOK,TS val 15784432 ecr 12399201,nop,wscale 7], length 0 22:03:59.993905 IP 22.99.22.111.8888 > 22.99.22.101.38122: Flags [S.], seq 703914964, ack 985103785, win 28960, options [mss 1460,sackOK,TS val 15786441 ecr 12399201,nop,wscale 7], length 0 22:04:04.008496 IP 22.99.22.111.8888 > 22.99.22.101.38122: Flags [S.], seq 703914964, ack 985103785, win 28960, options [mss 1460,sackOK,TS val 15790456 ecr 12399201,nop,wscale 7], length 022:03:56.983313 IP 22.99.22.101.38122 > 22.99.22.111.8888: Flags [S], seq 985103784, win 29200, options [mss 1460,sackOK,TS val 12399201 ecr 0,nop,wscale 7], length 0 22:03:56.983746 IP 22.99.22.111.8888 > 22.99.22.101.38122: Flags [S.], seq 703914964, ack 985103785, win 28960, options [mss 1460,sackOK,TS val 15783430 ecr 12399201,nop,wscale 7], length 0 22:03:57.985870 IP 22.99.22.111.8888 > 22.99.22.101.38122: Flags [S.], seq 703914964, ack 985103785, win 28960, options [mss 1460,sackOK,TS val 15784432 ecr 12399201,nop,wscale 7], length 0 22:03:59.994857 IP 22.99.22.111.8888 > 22.99.22.101.38122: Flags [S.], seq 703914964, ack 985103785, win 28960, options [mss 1460,sackOK,TS val 15786441 ecr 12399201,nop,wscale 7], length 0 22:04:04.009283 IP 22.99.22.111.8888 > 22.99.22.101.38122: Flags [S.], seq 703914964, ack 985103785, win 28960, options [mss 1460,sackOK,TS val 15790456 ecr 12399201,nop,wscale 7], length 0查看连接状态,服务端的初始SYN被客户端丢弃而在重传期间一直处于SYN-RECV状态,客户端已接收到服务端对初始SYN的ACK确认而处于ESTAB状态,导致半开(half-open)连接
# ss -atn | grep 8888 LISTEN 0 128 *:8888 *:* SYN-RECV 0 0 22.99.22.111%if355612354:8888 22.99.22.101:38122# ss -atn | grep 8888 ESTAB 0 0 22.99.22.101:38122 22.99.22.111:8888
本文发表于2018年05月27日 00:00
(c)注:本文转载自https://my.oschina.net/superwjc/blog/1819254,转载目的在于传递更多信息,并不代表本网赞同其观点和对其真实性负责。如有侵权行为,请联系我们,我们会及时删除.
阅读 3323 讨论 0 喜欢 0
以太坊区块链 Asp.Net Core的安全API设计 (上)
Spring Boot 1 和 Spring Boo 2的差别
由AnnotatedElementUtils延伸的一些所思所想
避坑!MotionGo就是一款诈骗软件!千万不要用ChatPPT,浪费时间!
宝塔面板使用WWW用户执行计划任务命令 解决laravel日志权限问题 宝塔设置计划任务执行用户
手机微信一键制作透明底文字表情 教你如何让微信表情包背景为透明 自制微信表情包动图 文字表情在线制作
ssh目录权限配置指南 .ssh文件夹及rsa_id.pub等文件正确权限规则
Mac连接亚马逊AWS EC2 远程连接登录不上去 有pem私钥文件依然要输密码 默认密码 教程
PHP工程师必知必会 - Linux系统常用命令 - Linux中的网络管理命令(下)
| 抢先体验 |
|---|
扫码体验 |
| 闪念胶囊 |
|---|
|
你要过得好哇,这样我才能恨你啊,你要是过得不好,我都不知道该恨你还是拥抱你啊。 17:21 2021年04月19日 查看详情 |
|
直抵黄龙府,与诸君痛饮尔。 18:17 2021年03月28日 查看详情 |
|
那时陪伴我的人啊,你们如今在何方。 16:28 2021年03月19日 查看详情 |
|
不出意外的话,我们再也不会见了,祝你前程似锦。 18:05 2021年03月17日 查看详情 |
|
这世界真好,吃野东西也要留出这条命来看看 21:21 2021年03月14日 查看详情 |
| Contact |
|---|
Y2lvbkBjaGluYWNpb24uY24= |