Re: FreeBSD 7 TCP syncache fix: request for testers

From: Andre Oppermann <andre_at_freebsd.org>
Date: Thu, 12 Jul 2007 01:08:41 +0200
Robert Watson wrote:
> On Tue, 10 Jul 2007, Mike Silbersack wrote:
> 
>> On Tue, 10 Jul 2007, Eygene Ryabinkin wrote:
>>
>>> Can't say that I am pushing much traffic through my box, but after 
>>> applying your patch and rebuilding the kernel I am still seeing the 
>>> messages like ----- TCP: [209.132.176.NNN]:NNN to 
>>> [144.206.NNN.NNN]:NNN tcpflags 0x19<FIN,PUSH,ACK>; syncache_expand: 
>>> Segment failed SYNCOOKIE authentication, segment rejected (probably 
>>> spoofed) TCP: [201.90.65.NNN]:NNN to [144.206.NNN.NNN]:NNN; 
>>> syncache_timer: Response timeout ----- But what had changed is that 
>>> the lines with the 'syncache_timer' started to appear.  There were no 
>>> such lines prior to the patch, only the 'failed SYNCOOKIE' ones.
>>
>> The "syncache_timer: Response timeout" message means that the syncache 
>> sent a SYN-ACK response four times, but still didn't receive a 
>> response. This probably means that someone tried using a port scanner 
>> or was going through a faulty firewall.  We'll definitely have to take 
>> that log message out before 7.0 is released.
> 
> As I mentioned to Andre before he committed the log message support, 
> there needs to be an administrative twiddle for it, and pretty much all 
> need to either be rate-limited or turned off by default when we get to 
> the release. Otherwise they make very easy DoS opportunities, especially 
> for systems with serial consoles.

Yes, I'm aware of that and will provide an appropriate patch shortly.

-- 
Andre
Received on Wed Jul 11 2007 - 21:35:12 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:14 UTC