From owner-freebsd-current@FreeBSD.ORG Mon May 28 17:36:08 2007 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 245EC16A4D7 for ; Mon, 28 May 2007 17:36:08 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 7862D13C4BA for ; Mon, 28 May 2007 17:36:06 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so505157anc for ; Mon, 28 May 2007 10:36:02 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=dH0xSozY8qZM4FVVgLwxXjw+nowA5os8S78khGOjSpyubcysw0grFX2/RXYZUWvHupRqJ7aHSy8gXSy1KAtuu8ryKOwF9DTNbF3s8lFPIVvs8seJ6ddBYu9UJ3f6ARgCv1aHJ1Wsj/5cPY0FYt+pPOSX3MkTLPC36cNdB3dcrYk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=L+rIdrk4YOayWU6WH1hF1uICn5bdapMHw6HEpWCaKdR4Bp1E81NUguaHAAjOiHSzL+F4v3ahpW28jQ1/3KMLvKQEMJACGgbxcvNfuhRS53BzIDTiNtmXRn2ID/FatIo7ebcnOKrJMUfWlt9b1IED49OZRkQDyyTsGM4yt2yX8EY= Received: by 10.101.1.13 with SMTP id d13mr4636854ani.1180373361251; Mon, 28 May 2007 10:29:21 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Mon, 28 May 2007 10:29:21 -0700 (PDT) Message-ID: <499c70c0705281029o3d32c2c4k9b7467dc11e24c86@mail.gmail.com> Date: Mon, 28 May 2007 20:29:21 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "Andre Oppermann" In-Reply-To: <465AF567.6020708@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070525234115.GA48789@troutmask.apl.washington.edu> <499c70c0705261245k6679a12k5a0237fce786ab68@mail.gmail.com> <465AF567.6020708@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: Segment failed SYNCOOKIE? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2007 17:36:08 -0000 On 5/28/07, Andre Oppermann wrote: > Abdullah Ibn Hamad Al-Marri wrote: > > On 5/26/07, Steve Kargl wrote: > > > >> Anyone have ideas on how to cure > >> > >> May 25 16:20:03 node13 kernel: TCP: [192.168.0.15]:53815 to > >> [192.168.0.13]:50992 tcpflags 0x11; syncache_expand: > >> Segment failed SYNCOOKIE authentication > >> > >> The hardware and kernel on 192.168.0.15 and 192.168.0.13 > >> are identical. > >> > >> -- > >> Steve > > > > 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sat May 26 04:25:29 GMT 2007 > > > > I got the same problem and my sever paniced today. > > Please provide the panic message and if available a backtrace for the > panic. We have to track down the exact cause of it (which may not > necessarily be the syncache). > > > TCP: [70.162.96.41]:54686 to [IP removed for security reasons]:59999 > > tcpflags 0x18; syncache_expand: Segment failed SYNCOOKIE > > authentication > > Logging of TCP segment validation failure has recently been enabled > to aid debugging of TCP (interoperability) issues. > > This particular message means that a SYN was received on a listen > socket but no matching syncache entry was found. The second test > for a syncookie also failed. Normally this means a spoofed packet > or port scan is hitting your machine. To make this certain you should > answer a couple of questions: a) What daemon is running on your port > 59999? b) Do you know [70.162.96.41] and does it have any business > in contacting your daemon on 59999? > > I agree that the log message should be made more clear to avoid > unnecessary confusion. Nothing is broken and syncache is doing its > job just fine. > > -- > Andre Hello Andre, Thanks for looking into this issue. The server IP isn't known by anyone, just me and my friend, and yes I know 70.162.96.41 which is his IP in a Linux box which runs distro Ubuntu. I run sshd in 59999, and we were both connected to it, then it died. This is a server, so I removed the debug options to not slow it down. If you think port scan could crash 7.0-CURRENT, Can you run nmap and test it 7.0-CURRENT? Do you think disabeling syncache would prevent my box against the same panic again? -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/