Re: Segment failed SYNCOOKIE?

From: Abdullah Ibn Hamad Al-Marri <almarrie_at_gmail.com>
Date: Mon, 28 May 2007 20:29:21 +0300
On 5/28/07, Andre Oppermann <andre_at_freebsd.org> wrote:
> Abdullah Ibn Hamad Al-Marri wrote:
> > On 5/26/07, Steve Kargl <sgk_at_troutmask.apl.washington.edu> wrote:
> >
> >> Anyone have ideas on how to cure
> >>
> >> May 25 16:20:03 node13 kernel: TCP: [192.168.0.15]:53815 to
> >> [192.168.0.13]:50992 tcpflags 0x11<FIN,ACK>; syncache_expand:
> >> Segment failed SYNCOOKIE authentication
> >>
> >> The hardware and kernel on 192.168.0.15 and 192.168.0.13
> >> are identical.
> >>
> >> --
> >> Steve
> >
> > 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sat May 26 04:25:29 GMT 2007
> >
> > I got the same problem and my sever paniced today.
>
> Please provide the panic message and if available a backtrace for the
> panic.  We have to track down the exact cause of it (which may not
> necessarily be the syncache).
>
> > TCP: [70.162.96.41]:54686 to [IP removed for security reasons]:59999
> > tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE
> > authentication
>
> Logging of TCP segment validation failure has recently been enabled
> to aid debugging of TCP (interoperability) issues.
>
> This particular message means that a SYN was received on a listen
> socket but no matching syncache entry was found.  The second test
> for a syncookie also failed.  Normally this means a spoofed packet
> or port scan is hitting your machine.  To make this certain you should
> answer a couple of questions:  a) What daemon is running on your port
> 59999?  b) Do you know [70.162.96.41] and does it have any business
> in contacting your daemon on 59999?
>
> I agree that the log message should be made more clear to avoid
> unnecessary confusion.  Nothing is broken and syncache is doing its
> job just fine.
>
> --
> Andre

Hello Andre,

Thanks for looking into this issue.

The server IP isn't known by anyone, just me and my friend, and yes I
know 70.162.96.41 which is his IP in a Linux box which runs distro
Ubuntu.

I run sshd in 59999, and we were both connected to it, then it died.

This is a server, so I removed the debug options to not slow it down.

If you think port scan could crash 7.0-CURRENT, Can you run nmap and
test it 7.0-CURRENT?

Do you think disabeling syncache would prevent my box against the same
panic again?

-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/
Received on Mon May 28 2007 - 15:36:08 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:11 UTC