Date: Mon, 11 Jan 2010 12:35:43 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: David Southwell <david@vizion2000.net> Cc: freebsd-questions@freebsd.org Subject: Re: syncache_timer: errors; What do they mean? Message-ID: <4B4B1B1F.1010701@infracaninophile.co.uk> In-Reply-To: <201001111051.56331.david@vizion2000.net> References: <201001111051.56331.david@vizion2000.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig166516BBCF5EB59BDA0AE750
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
David Southwell wrote:
> Here are some example entries in /var/log/messages (server ip address r=
emoved=20
> and replaced by [xxx.xxx.xxx.xxx] :
>=20
> Can anyone please tell me what thses messages mean and what action (if =
any) I=20
> should be taking.
> Thanks in advance for any replies
> Jan 11 10:41:57 dns1 kernel: TCP: [113.53.173.247]:63584 to=20
> [xxx.xxx.xxx.xxx]:25; syncache_timer: Response timeout, retransmitting =
(1)=20
> SYN|ACK
> Jan 11 10:42:01 dns1 kernel: TCP: [113.53.173.247]:63429 to=20
> [xxx.xxx.xxx.xxx]:25; syncache_timer: Response timeout, retransmitting =
(2)=20
> SYN|ACK
> Jan 11 10:42:03 dns1 kernel: TCP: [113.53.173.247]:63584 to=20
> [xxx.xxx.xxx.xxx]:25; syncache_timer: Response timeout, retransmitting =
(2)=20
> SYN|ACK
> Jan 11 10:42:13 dns1 kernel: TCP: [113.53.173.247]:63429 to=20
> [xxx.xxx.xxx.xxx]:25; syncache_timer: Response timeout, retransmitting =
(3)=20
> SYN|ACK
> Jan 11 10:42:16 dns1 kernel: TCP: [113.53.173.247]:63584 to=20
> [xxx.xxx.xxx.xxx]:25; syncache_timer: Response timeout, retransmitting =
(3)=20
> SYN|ACK
>=20
What is happening is this: host 113.53.173.247 (which appears to be
somewhere in Thailand) is trying to connect to port 25 on your machine.
[I guess it's probably trying to spam you.]
Now, the very first packet sent to establish a TCP connection is known
as the 'SYN' packet -- that's because it has the Syn bit set in the=20
options bitmap. That comes from the remote system (as it is trying to
connect to you.) Your machine is receiving that OK.
The next step is for your machine to respond, sending a SYNACK packet
back to the remote machine (Yes: you guessed it: this has both the Syn
and the Ack bits set in the packet options). Your machine is sending
these packets off OK, but here is where it is all going horribly wrong.
Your machine never receives the 3rd packet back from the originating
machine -- which is just an ACK packet -- to say it received the response=
=2E
So it logs the message you've seen and tries again. After a certain
number of retries, it will give up on the attempted connection, clear
out any allocated memory and go back to a quiescent state just listening
for new incoming connections.
Unless all three of these packets make it to and fro, the TCP connection
has not been properly set up. This process is described as the "Three
way handshake" -- unless that succeeds do data can flow across the connec=
tion,
so if this is an attempt to spam you, it's going to be singularly ineffec=
tive.
Chances are, you've run into a badly configured firewall, or a broken
spam-bot, which is causing packets to disappear from the wire. It /might/=
=20
possibly be an attempt to DoS you by filling up various kernel memory
structures allocated to managing TCP connection state, but judging by the=
time chops on the log extract you've shown, the other side would need to
be sending orders of magnitude more traffic in order to beeffective.
Given this is too low intensity to have much effect on your machine, you
can simply do nothing and ignore the log messages: it will clear itself u=
p
given enough time. Otherwise, a firewall rule to drop traffic from the=20
offending source will help reduce the noise level.
On the vanishingly remote chance that this really is a valid SMTP peer of=
yours, you'ld need to contact them out of band and try and work out where=
the traffic is being blocked and what to do about it.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig166516BBCF5EB59BDA0AE750
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEUEAREIAAYFAktLGyYACgkQ8Mjk52CukIwi2QCWNmrbXltO1GmDtpZsJN1vczaI
EgCeKiwgMUZzWPj3+jqjFdfZMM9aml8=
=cQtw
-----END PGP SIGNATURE-----
--------------enig166516BBCF5EB59BDA0AE750--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B4B1B1F.1010701>