Re: FreeBSD 7 TCP syncache fix: request for testers

From: Peter Wemm <peter_at_wemm.org>
Date: Fri, 20 Jul 2007 11:55:44 -0700
On Tuesday 10 July 2007, Mike Silbersack wrote:
> On Tue, 10 Jul 2007, Eygene Ryabinkin wrote:
> > Can't say that I am pushing much traffic through my box, but after
> > applying your patch and rebuilding the kernel I am still seeing the
> > messages like
> > -----
> > TCP: [209.132.176.NNN]:NNN to [144.206.NNN.NNN]:NNN tcpflags
> > 0x19<FIN,PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE
> > authentication, segment rejected (probably spoofed) TCP:
> > [201.90.65.NNN]:NNN to [144.206.NNN.NNN]:NNN; syncache_timer:
> > Response timeout -----
> > But what had changed is that the lines with the 'syncache_timer'
> > started to appear.  There were no such lines prior to the patch,
> > only the 'failed SYNCOOKIE' ones.
>
> The "syncache_timer: Response timeout" message means that the
> syncache sent a SYN-ACK response four times, but still didn't receive
> a response. This probably means that someone tried using a port
> scanner or was going through a faulty firewall.  We'll definitely
> have to take that log message out before 7.0 is released.
>
> The fact that you're still getting the syncache_expand message tells
> me that there's another bug which I have not yet fixed still present.

I get hundreds of these messages within a few hours of boot:

[...]
TCP: [127.0.0.1]:65491 to [127.0.0.1]:1128 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
TCP: [127.0.0.1]:64055 to [127.0.0.1]:1128 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
TCP: [10.0.0.85]:1665 to [10.0.0.3]:139 tcpflags 0x4<RST>; tcp_input: 
Listen socket: Spurious RST, segment rejected
TCP: [127.0.0.1]:60995 to [127.0.0.1]:1128 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
TCP: [10.0.0.84]:56408 to [10.0.0.3]:22 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
TCP: [127.0.0.1]:53469 to [127.0.0.1]:1128 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
TCP: [127.0.0.1]:52446 to [127.0.0.1]:1128 tcpflags 0x10<ACK>; 
syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
[...]

How on earth can localhost be spoofing itself?  This is getting quite 
absurd. :-(

Port 1128 is an x10 daemon FWIW.  There is just one single client, run 
from cron every few minutes.  There is no congestion on the listen 
socket.  It is an extremely quiet and low volume server.

I don't have your patch installed, but am just about to.  I mentioned it 
because you commented that this is a different problem below.

> My suspicion is that the "Segment failed SYNCOOKIE authentication"
> message is the aftereffect of FreeBSD 7 randomly dropping TCP
> connections, and not the problem itself.  My theory is that the
> connection is silently dropped, without the other endpoint knowing. 
> That other endpoint then sends an ACK packet, which is then believed
> to be a syncookie.  Since it is not, it obviously fails the
> verification.
>
> Finding that bug is my next goal.
>
> > But the patch received only half a day of testing, so I will
> > continue the tests and will inform you if some other information
> > will be available.  Up to date I don't see problems that had
> > appeared without the patch, but they tend to show up after a
> > midnight ;))
> >
> > Thank you!
>
> Thanks for testing, I look forward to hearing how things work for
> you.

I'll give your patch a shot and see if it improves things at all.

-- 
Peter Wemm - peter_at_wemm.org; peter_at_FreeBSD.org; peter_at_yahoo-inc.com
"All of this is for nothing if we don't go to the stars" - JMS/B5
Received on Sat Jul 21 2007 - 20:30:32 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:15 UTC