Re: Segment failed SYNCOOKIE?

From: Abdullah Ibn Hamad Al-Marri <almarrie_at_gmail.com>
Date: Tue, 29 May 2007 01:10:31 +0300
On 5/28/07, Andre Oppermann <andre_at_freebsd.org> wrote:
> Abdullah Ibn Hamad Al-Marri wrote:
> > On 5/28/07, Andre Oppermann <andre_at_freebsd.org> wrote:
> >> Abdullah Ibn Hamad Al-Marri wrote:
> >> > On 5/26/07, Steve Kargl <sgk_at_troutmask.apl.washington.edu> wrote:
> >> >
> >> >> Anyone have ideas on how to cure
> >> >>
> >> >> May 25 16:20:03 node13 kernel: TCP: [192.168.0.15]:53815 to
> >> >> [192.168.0.13]:50992 tcpflags 0x11<FIN,ACK>; syncache_expand:
> >> >> Segment failed SYNCOOKIE authentication
> >> >>
> >> >> The hardware and kernel on 192.168.0.15 and 192.168.0.13
> >> >> are identical.
> >> >>
> >> >> --
> >> >> Steve
> >> >
> >> > 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sat May 26 04:25:29 GMT 2007
> >> >
> >> > I got the same problem and my sever paniced today.
> >>
> >> Please provide the panic message and if available a backtrace for the
> >> panic.  We have to track down the exact cause of it (which may not
> >> necessarily be the syncache).
> >>
> >> > TCP: [70.162.96.41]:54686 to [IP removed for security reasons]:59999
> >> > tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE
> >> > authentication
> >>
> >> Logging of TCP segment validation failure has recently been enabled
> >> to aid debugging of TCP (interoperability) issues.
> >>
> >> This particular message means that a SYN was received on a listen
> >> socket but no matching syncache entry was found.  The second test
> >> for a syncookie also failed.  Normally this means a spoofed packet
> >> or port scan is hitting your machine.  To make this certain you should
> >> answer a couple of questions:  a) What daemon is running on your port
> >> 59999?  b) Do you know [70.162.96.41] and does it have any business
> >> in contacting your daemon on 59999?
> >>
> >> I agree that the log message should be made more clear to avoid
> >> unnecessary confusion.  Nothing is broken and syncache is doing its
> >> job just fine.
> >>
> >> --
> >> Andre
> >
> > Hello Andre,
> >
> > Thanks for looking into this issue.
>
> You're always welcome.
>
> > The server IP isn't known by anyone, just me and my friend, and yes I
> > know 70.162.96.41 which is his IP in a Linux box which runs distro
> > Ubuntu.
>
> Please obtain the exact version number of the Linux kernel that is
> running on your friends box on 70.162.96.41.  This will help me to
> track down the source of the problem and which OS gets it wrong.

I'll ask him when he comes online

>
> > I run sshd in 59999, and we were both connected to it, then it died.
>
> The connection or sshd itself?
sshd accepts connections on port 59999 to avoid ssh attempt sin default port.

>
> > This is a server, so I removed the debug options to not slow it down.
>
> We have to track down the cause of the panic and it would really
> help if you could find a way to reproduce it.  To see the real source
> of the panic you need a kernel with these options present:
>
> options         KDB             # Enable kernel debugger support.
> options         DDB             # Support DDB.
>
> With these options you drop into the kernel debugger when a panic
> happens.  Once there you have to type "trace" to get a backtrace.
> Either transcribe it by hand or take a picture with a digicam and
> make it available for download somewhere (please don't send it by
> email, picture attachments are filtered).  A serial console would
> be even better as you can simply copy-paste it from another machine.
> After transcribing the backtrace you can type "reset" to reboot.

This is a server I manage via sshd, no phiscal access to it, so how
can I catch the panic trace? log as su and keep my connection alive?
if I can get the panic, I'll be able to copy & paste it easily via the
kssh client.


>
> > If you think port scan could crash 7.0-CURRENT, Can you run nmap and
> > test it 7.0-CURRENT?
>
> A port scan should not be able to crash FreeBSD.
>
> > Do you think disabeling syncache would prevent my box against the same
> > panic again?
>
> Syncache can't be disabled.  Only syncookies can be disabled but that
> won't really help as you simple get a different error.
>
> A few hours ago I've committed a reworked tcp_input() SYN processing
> section that'll either fix you issue or expose a more detailed error
> message.
>
> --
> Andre

I'll csup and compile the kernel with

options         KDB             # Enable kernel debugger support.
options         DDB             # Support DDB.

Per your request once my box comes onlines. :)

-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/
Received on Mon May 28 2007 - 20:10:34 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:11 UTC