Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 29 Jun 2007 09:32:47 -0700
From:      Steve Kargl <sgk@troutmask.apl.washington.edu>
To:        David Malone <dwmalone@maths.tcd.ie>
Cc:        freebsd-current@freebsd.org
Subject:   Re: SYNCOOKIE authentication problems
Message-ID:  <20070629163247.GA6373@troutmask.apl.washington.edu>
In-Reply-To: <20070629105140.GA51586@walton.maths.tcd.ie>
References:  <20070628014311.GA50012@troutmask.apl.washington.edu> <20070629105140.GA51586@walton.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Jun 29, 2007 at 11:51:40AM +0100, David Malone wrote:
> On Wed, Jun 27, 2007 at 06:43:11PM -0700, Steve Kargl wrote:
> > Any advice on how to isolate or avoid?
> > 
> > Jun 27 18:31:19 node11 kernel: TCP: [192.168.0.11]:59661 to 
> > [192.168.0.11]:63266 tcpflags 0x10<ACK>; syncache_expand: Segment failed
> > SYNCOOKIE authentication, segment rejected (probably spoofed)
> 
> It looks like you tried to open a TCP connection to yourself, but
> the connection failed. You could try leaving a tcpdump running:
> 
> 	tcpdump -i whatever_interface -w /tmp/synfinrstdata -s 1500 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0'
> 
> while your MPI app runs and then we can have a look at the packets
> that caused the problem. The above should collect all TCP SYN, FIN
> and RST packets, which would probably be enough to diagnose the
> problem.
> 

I placed synfinrstdata.gz at

http://troutmask.apl.washington.edu/~kargl/synfinrstdata.gz

The following were in /var/log/messages

Jun 29 09:21:58 node11 kernel: TCP: [192.168.0.12]:54528 to [192.168.0.11]:52690 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
Jun 29 09:22:01 node11 kernel: TCP: [192.168.0.15]:62391 to [192.168.0.11]:60621 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
Jun 29 09:26:43 node11 kernel: TCP: [192.168.0.11]:59578 to [192.168.0.11]:53378 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
Jun 29 09:27:51 node11 kernel: bge0: promiscuous mode disabled
Jun 29 09:28:05 node11 kernel: TCP: [192.168.0.11]:64006 to [192.168.0.11]:53378 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)


-- 
Steve

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070629163247.GA6373>