Limit Maximum TCP Connections to Web Servers限制的最大TCP连接到Web服务器

In Windows XP SP2 and Windows Vista, a lot of users have been searching for在Windows XP SP2和Windows Vista ，大量的用户一直在寻找 tcpip.sys patched hack Tcpip.sys中补丁的黑客 or或 auto patcher汽车修补程式 that unlocks the TCP/IP half-open simultaneous connection limit to no upper bound.打开TCP / IP的半开放同时连接限制，没有上界。 In a web server that exposes to Internet, the other way round may be true, where there may be a need to limit and restrict maximum number of TCP incoming connections to a web server that are allowed at any one time.在Web服务器暴露到互联网上，其他方式的全面可能是事实，那里可能需要限制和限制最多的TCP传入的连接到网络服务器是允许在任何一个时候。

Limiting maximum incoming TCP web connections to the web server is useful to prevent or better still, stop DDoS (Distributed Denial of Service) or DoS (Denial of Service) attacks.限制最高传入的TCP网络连接到Web服务器是有用的，以防止或更好，但停止的DDoS （分布式拒绝服务）或DOS （拒绝服务）攻击。 DDoS attacks can consume tremendous amount of system resources and CPU load, slow down the web page serving time or response time to the legitimate visitors. DDoS攻击可以消耗大量的系统资源和CPU负载，拖慢网页服务时间或反应时间，以合法的旅客。 And in worse case, the attack can hang and bring down the web server completely, even if you have dual qual-core CPU dedicated server with multiple GBs of memory.并在更糟的情况下，攻击可以坑及降低Web服务器完全，甚至如果你有质量的双核心CPU专用服务器与多个gbs的记忆体。

To prevent and response to Denial of Service attacks, other than using firewall or SYN cookies, it’s also possible to limit number of TCP connections that server can accept per second.以防止和应对拒绝服务攻击，除了使用防火墙的SYN或饼干，它也有可能以限制人数的TCP连接该服务器可以接受每秒。 The concept may applied also when a web page is been digged, stumbled or farked which bring large amount of viewers in short time span.的概念，可能也适用于当一个网页被挖，偶然或farked带来大量的观众在短的时间跨度。 However, this workaround only intend to make the server ’survives’ and not completely brought down by massive amount of connections.然而，这种替代只是打算作出服务器'生存'和不完全所带来的下跌是由大量的连接。 And the restriction will apply on valid human visitors to the websites hosted on server too if the limitation hit its bound and actively denies new connections.和限制将适用于有效的人力游客到网站上托管的服务器，如果过于限制击中其约束，并积极否认新的连接。

Administrator can use iptables to set the maximum limit on number of TCP connections to the server per second acceptable.管理员可以使用iptables的订定最高限额的数目TCP连接到服务器每秒可以接受的。 To configure the limit, login as root to shell and issue the following commands, replacing <n> with the number of connections per second you want to set, and <m> with burst rate which u want the server to start applying the limit, both without brackets.如果要设定限制，以root登入，壳牌和问题，下列命令，取代<n>与连接数，每秒您要设定，并<m>与爆裂率u希望服务器开始运用的限制，双方没有括号内。

iptables -t nat -N syn-flood iptables的-吨的NAT氮的SYN洪水

iptables -t nat -A syn-flood -m limit –limit <n> /s –limit-burst <m> -j RETURN iptables的-吨的NAT -一同步防洪米的极限限制<n> / S的限制爆裂<m> - j返回

iptables -t nat -A syn-flood -j DROP iptables的-吨的NAT -一同步防洪j下降

iptables -t nat -A PREROUTING -i $EXT_IFACE -d $DEST_IP -p tcp –syn -j syn-flood iptables的-吨的NAT -一的kernel我ext_iface元，三维元dest_ip磷的TCP的SYN - j的SYN洪水

Commands above will limit maximum number of TCP connections that can connect to web server to n connections per second, after m connections have been established.上述命令将限制人数最多的TCP连接可以连接到Web服务器到n连接每秒后， 米连接已经确立。 There is not fixed figure to the number of connections you can set.是不是固定不变的数字连接数量您可以设定。 If the server is powerful it’s possible to increase the values to handle and accept more connection in order to reduce any drop connections.如果该服务器是强大，它的可能，以增加值来处理，并接受更多的连接，以减少任何下降的联系。 Try and set the best values for your server.尝试，并设置最佳值为您的服务器。

IMPORTANT : You're reading a machine translated page which is provided "as is" without warranty. 重要说明：您正在阅读的机器翻译网页是“按原样”提供的担保。 Unlike human translation, machine translation does not understand the grammar, semantics, syntax, idioms of natural language, thus often produce inaccurate and low quality text which is misleading and incomprehensible.不像人类翻译，机器翻译不明白的语法，语义，语法，成语自然语言，因此，往往产生不准确的和低品质的文字，是具误导性的和难以理解的。 Thus, please refer to因此，请参阅 original English article英文原版的文章 whenever possible.只要有可能。

MDL blog postings now continue at MDL公司博客帖子现在继续在 Tip and Trick 提示和伎俩 , and readers are welcome to join ，和读者都欢迎参加 My Digital Life Forums 我的数字生活论坛 . 。

Related Articles相关文章

• Windows XP SP2 TCP Connection Limit (Event ID 4226) Windows XP SP2的TCP连接限制（事件ID 4226 ）
• TCP/IP Has Reached the Security Limit Imposed on the Number of Concurrent TCP Connect Attempts Error on Windows Vista TCP / IP协议已达到了安全限制加诸于大量并行的TCP连接尝试错误的Windows Vista
• Optimize and Increase BitTorrent (BT) Download Speed in Vista优化和增加的BitTorrent （ BT ）中的下载速度在Vista
• How to Find and Check Number of Connections to a Server如何查找和支票号码连接到服务器
• Windows Vista tcpip.sys Connection Limit Patch for Event ID 4226 Windows Vista的Tcpip.sys中的连接限制补丁事件ID 4226
• Prevent and Stop DoS or DDoS Attacks on Web Server (D)DOS-Deflate预防和阻止DOS或DDoS攻击Web服务器（四） DOS的deflate
• Increase Multithread Download Speed by Disable Vista Auto Tuning on TCP/IP增加的多线程的下载速度由禁用Vista的自动调谐TCP / IP协议
• Easily Maintain Multiple Remote Desktop Connections with visionapp Remote Desktop (vRD)容易保持多个远程桌面连接与visionapp远程桌面（ vrd ）
• VistaTcpPatch Windows Vista TCP Half Open Limit Auto Patcher GUI Version vistatcppatch Windows Vista中的TCP半开放限制汽车修补程式GUI版本
• Change or Increase vBulletin Maximum Number of Total Allowed Private Messages (PM)改变或增加vbulletin人数最多，共允许私人邮件（下午）

This entry was posted on Thursday, December 6th, 2007 at 6:37 pm and is filed under 此项目被张贴在周四， 2007年12月6日在下午6时37分，并提交下 Webmaster Resources 网站管理员资源 . 。 You can follow any responses to this entry through the 您可以按照任何的反应，此项目通过 RSS 2.0 2.0 feed. 喂养。 You can 您可以 leave a response 留下的回应 , or ，或 trackback Trackback跟踪 from your own site. 从你自己的网站。