Date: Wed, 25 Sep 2002 13:20:52 +1000 (EST) From: Gregory Bond <gnb@itga.com.au> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/43348: PATCH: make tcp.log_in_vain distinguish SYN from SYN-ACK Message-ID: <200209250320.g8P3Kq9E073391@grollo.itga.com.au>
next in thread | raw e-mail | index | archive | help
>Number: 43348 >Category: kern >Synopsis: PATCH: make tcp.log_in_vain distinguish SYN from SYN-ACK >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Sep 24 20:30:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Gregory Bond >Release: FreeBSD 4.7-PRERELEASE i386 >Organization: ITG Australia Ltd >Environment: System: FreeBSD grollo.itga.com.au 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #13: Tue Sep 10 17:23:35 EST 2002 toor@grollo.itga.com.au:/usr/obj/usr/src/sys/GROLLO i386 >Description: The tcp.log_in_vain sysctl sends a kernel log message whenever an incoming TCP packet is received but where there is no waiting socket to receive it. Setting log_in_vain to 1 will only log SYN (i.e. connection setup) packets, which are often caused by someone trying to portscan your box. However, there are sometimes cases where the incoming orphaned SYN packet is quite valid, and not caused by portscanning at all. If a program on this box (or a NAT'd connection from this box on behalf of an internal host) is trying to connect to a service (e.g. web server or mail server) on a remote machine that has a very slow network connection, this system will send out a TCP SYN packet, but not get anything back straight away. The user (or the program) may then give up, which will remove the waiting socket. Eventually, the remote site responds with a TCP SYN-ACK packet, but the log_in_vain code logs this as a SYN packet and it is easily mistaken for a portscan. (You can't rely on the dest port=25/80 to disambiguate, as many port scans are done using these ports as the remote source port to try and get around naive firewall rules.) The attached patch makes log_in_vain=3 behave the same was as log_in_vain=1 except for the case of an orphaned incoming SYN-ACK packet, which is specially flagged in the log message. This helps to disambiguate real port scans from the case of late SYN-ACKs from slow hosts. [Another possibility is to make log_in_vain=3 ignore SYN-ACK packets, or just make log_in_vain=1 ignore them. I chose the current arrangement as having least backwards-compatibility impact. I leave that up to TPTB to decide which is the best solution!] >How-To-Repeat: sysctl -w net.inet.tcp.log_in_vain=1 Try to connect to slow external servers. Watch for occasional log messages that mistakenly imply the remote host is portscanning you. >Fix: --- log_in_vain.diffs2 begins here --- Index: share/man/man4/tcp.4 =================================================================== RCS file: /usr/ncvs/src/share/man/man4/tcp.4,v retrieving revision 1.11.2.12 diff -u -r1.11.2.12 tcp.4 --- share/man/man4/tcp.4 29 Aug 2002 21:29:10 -0000 1.11.2.12 +++ share/man/man4/tcp.4 25 Sep 2002 01:28:47 -0000 @@ -219,8 +219,12 @@ The value of 1 limits the logging to SYN (connection establishment) packets only. That of 2 results in any TCP packets to closed ports being logged. +That of 3 is similar to 1 in that it only logs SYN packets, but it +also notes when a packet is a SYN-ACK packet (which is usually the result +of an outgoing connection being closed early, +rather than an incoming port scan.) +The default value is 0 (i.e., the logging is disabled.) Any value unlisted above disables the logging -(default is 0, i.e., the logging is disabled). .It tcp.slowstart_flightsize The number of packets allowed to be in-flight during the .Tn TCP Index: sys/netinet/tcp_input.c =================================================================== RCS file: /usr/ncvs/src/sys/netinet/tcp_input.c,v retrieving revision 1.107.2.30 diff -u -r1.107.2.30 tcp_input.c --- sys/netinet/tcp_input.c 3 Sep 2002 22:32:47 -0000 1.107.2.30 +++ sys/netinet/tcp_input.c 10 Sep 2002 05:01:27 -0000 @@ -596,12 +596,14 @@ #endif /* INET6 */ switch (log_in_vain) { case 1: + case 3: if(thflags & TH_SYN) log(LOG_INFO, - "Connection attempt to TCP %s:%d from %s:%d\n", + "Connection attempt to TCP %s:%d from %s:%d%s\n", dbuf, ntohs(th->th_dport), sbuf, - ntohs(th->th_sport)); + ntohs(th->th_sport), + log_in_vain == 3 && thflags & TH_ACK ? " (SYN-ACK)" : ""); break; case 2: log(LOG_INFO, --- log_in_vain.diffs2 ends here --- >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209250320.g8P3Kq9E073391>