Re: Improved SYN Cookies: Looking for testers

From: Fabian Keil <freebsd-listen_at_fabiankeil.de>
Date: Fri, 12 Jul 2013 12:56:46 +0200
Andre Oppermann <andre_at_freebsd.org> wrote:

> On 10.07.2013 15:18, Fabian Keil wrote:
> > Andre Oppermann <andre_at_freebsd.org> wrote:
> >
> >> We have a SYN cookie implementation for quite some time now but it
> >> has some limitations with current realities for window scaling and
> >> SACK encoding the in the few available bits.
[...]
> >>    http://people.freebsd.org/~andre/syncookie-20130708.diff
> >
> > I've been using the patch for a couple of days and didn't notice any
> > issues so far. Privoxy's regression tests continue to work as expected
> > as well.
> 
> Thanks for testing and reporting back.
> 
> Could you test with net.inet.tcp.log_debug and net.inet.tcp.syncookies_only=1
> as well to bypass the syn cache entirely?

I haven't noticed any issues with net.inet.tcp.syncookies_only=1.

> It will give a bit of debug log output which is it telling you mostly about
> rounding to the next nearest index value.  You can send the output privately
> to me to spot unexpected outliers, if any.

One unexpected outlier seems to be:

Jul 11 12:42:51 r500 kernel: [10947] TCP: [10.0.0.1]:62972 to [10.0.0.1]:8118 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 27 bytes of data after socket was closed, sending RST and removing tcpcb
Jul 11 12:42:51 r500 kernel: [10947] TCP: [10.0.0.1]:62972 to [10.0.0.1]:8118 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)

This also seems to have resulted in two reset packets:

fk_at_r500 ~/test/wireshark $tcpdump -vv -n -r syncookie-test.pcap  dst port 62972
reading from file syncookie-test.pcap, link-type NULL (BSD loopback)
12:42:47.033832 IP (tos 0x0, ttl 64, id 17522, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->e248)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [S.], cksum 0x8c5f (correct), seq 1633309846, ack 61471870, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 4243589075 ecr 4051741531], length 0
12:42:47.138107 IP (tos 0x0, ttl 64, id 17582, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->e214)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xef2f (correct), seq 1, ack 183, win 1275, options [nop,nop,TS val 4243589180 ecr 4051741536], length 0
12:42:47.785762 IP (tos 0x0, ttl 64, id 17592, offset 0, flags [DF], proto TCP (6), length 120, bad cksum 0 (->e1c6)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x7209 (correct), seq 1:69, ack 183, win 1275, options [nop,nop,TS val 4243589827 ecr 4051741536], length 68
12:42:47.945156 IP (tos 0x0, ttl 64, id 17609, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->e1f9)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xe80f (correct), seq 69, ack 325, win 1275, options [nop,nop,TS val 4243589987 ecr 4051742343], length 0
12:42:48.470035 IP (tos 0x0, ttl 64, id 17678, offset 0, flags [DF], proto TCP (6), length 550, bad cksum 0 (->dfc2)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x3ce0 (correct), seq 69:567, ack 325, win 1275, options [nop,nop,TS val 4243590511 ecr 4051742343], length 498
12:42:48.599754 IP (tos 0x0, ttl 64, id 17683, offset 0, flags [DF], proto TCP (6), length 550, bad cksum 0 (->dfbd)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x0a10 (correct), seq 567:1065, ack 325, win 1275, options [nop,nop,TS val 4243590641 ecr 4051743067], length 498
12:42:48.699161 IP (tos 0x0, ttl 64, id 17688, offset 0, flags [DF], proto TCP (6), length 2465, bad cksum 0 (->d83d)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x92bd (correct), seq 1065:3478, ack 325, win 1275, options [nop,nop,TS val 4243590741 ecr 4051743197], length 2413
12:42:48.824428 IP (tos 0x0, ttl 64, id 17706, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->e198)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xd2da (correct), seq 3478, ack 592, win 1275, options [nop,nop,TS val 4243590867 ecr 4051743216], length 0
12:42:48.924148 IP (tos 0x0, ttl 64, id 17713, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->e191)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xd1dd (correct), seq 3478, ack 639, win 1275, options [nop,nop,TS val 4243590966 ecr 4051743323], length 0
12:42:49.725732 IP (tos 0x0, ttl 64, id 17769, offset 0, flags [DF], proto TCP (6), length 99, bad cksum 0 (->e12a)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x7969 (correct), seq 3478:3525, ack 639, win 1275, options [nop,nop,TS val 4243591767 ecr 4051743323], length 47
12:42:49.833378 IP (tos 0x0, ttl 64, id 17784, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->e14a)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xc9a7 (correct), seq 3525, ack 882, win 1275, options [nop,nop,TS val 4243591876 ecr 4051744225], length 0
12:42:50.436702 IP (tos 0x0, ttl 64, id 17801, offset 0, flags [DF], proto TCP (6), length 550, bad cksum 0 (->df47)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x3f05 (correct), seq 3525:4023, ack 882, win 1275, options [nop,nop,TS val 4243592478 ecr 4051744225], length 498
12:42:50.539394 IP (tos 0x0, ttl 64, id 17847, offset 0, flags [DF], proto TCP (6), length 5051, bad cksum 0 (->cd84)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x1b29 (correct), seq 4023:9022, ack 882, win 1275, options [nop,nop,TS val 4243592581 ecr 4051745037], length 4999
12:42:50.639133 IP (tos 0x0, ttl 64, id 17860, offset 0, flags [DF], proto TCP (6), length 7204, bad cksum 0 (->c50e)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x7f02 (correct), seq 9022:16174, ack 882, win 1275, options [nop,nop,TS val 4243592681 ecr 4051745137], length 7152
12:42:50.673745 IP (tos 0x0, ttl 64, id 17867, offset 0, flags [DF], proto TCP (6), length 16384, bad cksum 0 (->a12b)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0x1f1d (correct), seq 16174:32506, ack 882, win 1275, options [nop,nop,TS val 4243592715 ecr 4051745137], length 16332
12:42:50.673796 IP (tos 0x0, ttl 64, id 17869, offset 0, flags [DF], proto TCP (6), length 1244, bad cksum 0 (->dc4d)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0xf717 (correct), seq 32506:33698, ack 882, win 1275, options [nop,nop,TS val 4243592715 ecr 4051745171], length 1192
12:42:50.769080 IP (tos 0x0, ttl 64, id 17883, offset 0, flags [DF], proto TCP (6), length 16384, bad cksum 0 (->a11b)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0x6a4e (correct), seq 33698:50030, ack 882, win 1275, options [nop,nop,TS val 4243592811 ecr 4051745171], length 16332
12:42:50.769123 IP (tos 0x0, ttl 64, id 17885, offset 0, flags [DF], proto TCP (6), length 2532, bad cksum 0 (->d735)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x4cde (correct), seq 50030:52510, ack 882, win 1275, options [nop,nop,TS val 4243592811 ecr 4051745267], length 2480
12:42:50.869118 IP (tos 0x0, ttl 64, id 17908, offset 0, flags [DF], proto TCP (6), length 13592, bad cksum 0 (->abea)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0xd9bf (correct), seq 52510:66050, ack 882, win 1275, options [nop,nop,TS val 4243592911 ecr 4051745367], length 13540
12:42:50.980382 IP (tos 0x0, ttl 64, id 17938, offset 0, flags [DF], proto TCP (6), length 550, bad cksum 0 (->debe)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x9e13 (correct), seq 66050:66548, ack 882, win 1275, options [nop,nop,TS val 4243593022 ecr 4051745383], length 498
12:42:51.080184 IP (tos 0x0, ttl 64, id 17953, offset 0, flags [DF], proto TCP (6), length 3538, bad cksum 0 (->d303)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0xe297 (correct), seq 66548:70034, ack 882, win 1275, options [nop,nop,TS val 4243593122 ecr 4051745578], length 3486
12:42:51.126696 IP (tos 0x0, ttl 64, id 17960, offset 0, flags [DF], proto TCP (6), length 1484, bad cksum 0 (->db02)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [FP.], cksum 0xd00a (correct), seq 70034:71466, ack 882, win 1275, options [nop,nop,TS val 4243593168 ecr 4051745578], length 1432
12:42:51.173301 IP (tos 0x0, ttl 64, id 17981, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->e091)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [R], cksum 0xb90f (correct), seq 1633381313, win 0, length 0
12:42:51.173330 IP (tos 0x0, ttl 64, id 17983, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->e08f)!)
    10.0.0.1.8118 > 10.0.0.1.62972: Flags [R], cksum 0xb90f (correct), seq 1633381313, win 0, length 0

Client and server are running on the same system.

As I don't usually use net.inet.tcp.log_debug and haven't been able to intentionally
reproduce the issue (but have seen it a few times), I'm not sure yet if the behaviour
is actually related to the SYN cookie changes at all.

Fabian
Received on Fri Jul 12 2013 - 09:11:54 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:39 UTC