如何減少 TIME_WAIT 程序的數量？

$ netstat -an | awk '/tcp/ {print $6}' | sort | uniq -c
    92 ESTABLISHED
     1 FIN_WAIT2
    13 LISTEN
  7979 TIME_WAIT

.

$ grep processor /proc/cpuinfo | wc -l
4

.

$ grep -r keep.*alive /etc/
/etc/ufw/sysctl.conf:#net/ipv4/tcp_keepalive_intvl=1800
/etc/nginx/nginx.conf:    keepalive_timeout     5 5;

.

$ free -m
            total       used       free     shared    buffers     cached
Mem:         14980       1402      13577          0        113        831
-/+ buffers/cache:        458      14521
Swap:            0          0          0

.

$ uptime
02:17:14 up 18:20,  1 user,  load average: 2.77, 2.39, 2.21

.

$ dstat
You did not select any stats, using -cdngy by default.
----total-cpu-usage---- -dsk/total- -net/total- ---paging-- ---system--
usr sys idl wai hiq siq| read  writ| recv  send|  in   out | int   csw 
46   2  51   0   0   1|4432B   10k|   0     0 |   0     0 |4346  1870 
51   3  46   0   0   1|   0    56k|2679k  191k|   0     0 |5130  2318 
40   3  57   0   0   1|   0     0 |1566k  211k|   0     0 |4825  2141 
46   2  52   0   0   0|   0     0 |1311k  136k|   0     0 |4606  1997 
27   2  71   0   0   1|   0     0 | 234k  144k|   0     0 |3278  1693 
23   2  76   0   0   0|   0   152k| 286k  123k|   0     0 |3094  1683 
23   2  74   1   0   0|   0    28k| 146k  131k|   0     0 |3103  1576 
30   2  67   0   0   1|   0     0 | 668k  177k|   0     0 |4023  2020 
31   2  67   0   0   0|   0     0 | 326k  197k|   0     0 |4330  2273 
23   2  75   0   0   0|   0     0 | 339k  121k|   0     0 |3020  1428 
30   2  67   0   0   0|   0     0 |1930k  180k|   0     0 |4487  1947 
38   3  59   0   0   1|   0    12k| 340k  155k|   0     0 |4403  1994 
29   2  68   0   0   1|   0     0 | 187k  117k|   0     0 |3449  1729 
35   4  59   2   0   1|   0     0 | 478k  314k|   0     0 |4415  2338 
49   4  46   0   0   1|   0     0 |2263k  210k|   0     0 |5153  2289 
49   2  49   0   0   1|   0    60k|2921k  118k|   0     0 |5063  1532 
52   2  46   0   0   0|   0    24k|2823k  161k|   0     0 |4842  1740 
72   2  26   0   0   1|   0     0 |2361k  141k|   0     0 |4715  1600 
62   3  34   0   0   1|   0     0 |3414k  147k|   0     0 |5487  1863 
48   2  49   0   0   1|   0     0 |1501k  117k|   0     0 |4211  1722 
49   4  46   0   0   1|   0     0 |4675k  207k|   0     0 |5660  2286 
46   2  51   0   0   0|   0     0 | 182k  169k|   0     0 |4178  2373 
43   1  55   0   0   0|   0    12k| 172k  168k|   0     0 |3407  1843 
29   2  69   0   0   0|   0     0 | 376k  175k|   0     0 |4013  2216 
29   2  68   0   0   0|   0     0 | 613k  238k|   0     0 |4885  2628 
25   2  72   0   0   1|   0     0 | 272k  215k|   0     0 |5105  3126 
33   3  63   0   0   1|   0     0 |3692k  228k|   0     0 |5978  2397 ^C

.

$ cat /etc/sysctl.conf
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1

# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0


# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# Tuen IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535

# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536

# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000

# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608

# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1

.

$ 2>/dev/null sysctl -a | grep \
   'tcp_syncookies\|tcp_max_syn_backlog\|tcp_synack_retries'
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048

問題： 什麼可能導致 TIME_WAIT 數量過多？

我有解決方案：

# This setting allows sockets reusing.
$ echo 'net.ipv4.tcp_tw_recycle = 1' >> /etc/sysctl.conf
$ sysctl -p /etc/sysctl.conf

TIME_WAIT 是未完成的 TCP 會話請求。這可能是由SYN Flood Denial of Service 攻擊引起的。

這種攻擊無法完全避免，但在強化 TCP/IP 堆棧以防 SYN 洪水一文中提供了一些有用的技巧，可用於減輕其影響。

引用自：https://serverfault.com/questions/498245