- Thread Starter
- #26
No problem at all. This is an interesting discussion as I would like to find solution to this as well optimize the configurations.
autoboot_delay="3"
vm.kmem_size="435544320"
vm.kmem_size_max="535544320"
if_igb_load="YES"
kern.hz=1000
boot_serial="YES"
comconsole_speed="115200"
hw.usb.no_pf="1"
aio_load="YES"
cc_htcp_load="YES"
net.inet.tcp.hostcache.cachelimit="0"
hw.igb.txd="2048"
hw.igb.rxd="2048"
hw.igb.rx_process_limit="-1"
hw.igb.enable_aim="1"
hw.igb.num_queues="0"
hw.igb.enable_msix="1"
kern.ipc.nmbclusters="492680"
net.inet.tcp.syncache.hashsize="1024"
net.inet.tcp.tcbhashsize="65536"
net.isr.bindthreads="0"
net.isr.dispatch="direct"
net.isr.maxthreads="1"
Set the actual timeouts lower -Some services can handle very low timeouts, some can't ->experiment with it.
-Set the adaptive timeout start point much lower.
-Limit simultaneous connections per client
-Limit states created per host
-Limit the number of "new" connections allowed per second - be cautious with this one.
It doesn't need to sort legit from non.Below tuning tips have been tried to no avail. It doesnt seem capable of sorting legit traffic from the DDoS one.
What about 1:1 NAT without redirecting to different port or IP address?
It doesn't need to sort legit from non.
If your system can't handle the number of states its dealing with "and it can't if setting it stateless solves it" then reduce the timeouts etc.