Tuesday, July 16, 2013


According to TCP variables doc:

The tcp_fin_timeout variable tells kernel how long to keep sockets in the state FIN-WAIT-2 if you were the one closing the socket. This is used if the other peer is broken for some reason and don't close its side, or the other peer may even crash unexpectedly. Each socket left in memory takes approximately 1.5Kb of memory, and hence this may eat a lot of memory if you have a moderate webserver or something alike. By reducing the value of this entry, TCP/IP can release closed connections faster, making more resources available for new connections.

This value takes an integer value which is per default set to 60 seconds. This used to be 180 seconds in 2.2 kernels, but was reduced due to the problems mentioned above with webservers and problems that arose from getting huge amounts of connections.

This variable is required to prevent DoS attacks.

In Linux, you can manually set this value in "/proc/sys/net/ipv4/tcp_fin_timeout".
# Temporary
$ echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

# Permanent
$ vi /etc/sysctl.conf
# add the following
$ sysctl -w net.ipv4.tcp_fin_timeout=30

No comments: