Re: FreeBSD 7 TCP syncache fix: request for testers

From: Robert Watson <rwatson_at_FreeBSD.org>
Date: Wed, 11 Jul 2007 13:08:15 +0100 (BST)
On Tue, 10 Jul 2007, Mike Silbersack wrote:

> On Tue, 10 Jul 2007, Eygene Ryabinkin wrote:
>
>> Can't say that I am pushing much traffic through my box, but after applying 
>> your patch and rebuilding the kernel I am still seeing the messages like 
>> ----- TCP: [209.132.176.NNN]:NNN to [144.206.NNN.NNN]:NNN tcpflags 
>> 0x19<FIN,PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE 
>> authentication, segment rejected (probably spoofed) TCP: 
>> [201.90.65.NNN]:NNN to [144.206.NNN.NNN]:NNN; syncache_timer: Response 
>> timeout ----- But what had changed is that the lines with the 
>> 'syncache_timer' started to appear.  There were no such lines prior to the 
>> patch, only the 'failed SYNCOOKIE' ones.
>
> The "syncache_timer: Response timeout" message means that the syncache sent 
> a SYN-ACK response four times, but still didn't receive a response. This 
> probably means that someone tried using a port scanner or was going through 
> a faulty firewall.  We'll definitely have to take that log message out 
> before 7.0 is released.

As I mentioned to Andre before he committed the log message support, there 
needs to be an administrative twiddle for it, and pretty much all need to 
either be rate-limited or turned off by default when we get to the release. 
Otherwise they make very easy DoS opportunities, especially for systems with 
serial consoles.

Robert N M Watson
Computer Laboratory
University of Cambridge
Received on Wed Jul 11 2007 - 10:08:15 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:14 UTC