From owner-freebsd-net@FreeBSD.ORG Fri May 7 17:27:27 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 87455106566C for ; Fri, 7 May 2010 17:27:27 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from mail.ciam.ru (mail.ciam.ru [91.209.218.18]) by mx1.freebsd.org (Postfix) with ESMTP id 47A2B8FC16 for ; Fri, 7 May 2010 17:27:27 +0000 (UTC) Received: from dhcp170-37-red.yandex.net ([95.108.170.37]) by mail.ciam.ru with esmtpa (Exim 4.x) id 1OAQgD-0004jw-Hs for freebsd-net@freebsd.org; Fri, 07 May 2010 20:45:37 +0400 Message-ID: <4BE443B1.2070704@FreeBSD.org> Date: Fri, 07 May 2010 20:45:37 +0400 From: Sergey Matveychuk User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Segment failed SYNCOOKIE authentication X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 May 2010 17:27:27 -0000 Hi. I have many messages on my box like this: tcpflags 0x10; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) Some connections dropped. But it's legal connections. Looks like something wrong with syncache. An examples: 20:31:08.464499 IP XXX.YYY.240.5.50393 > XXX.YYY.234.8.8542: Flags [S], seq 4197725771, win 65535, options [mss 1353,nop,wscale 3,sackOK,TS val 3072911437 ecr 0], length 0 20:31:08.464548 IP XXX.YYY.234.8.8542 > XXX.YYY.240.5.50393: Flags [S.], seq 1425159360, ack 4197725772, win 65535, options [mss 1353,nop,wscale 3,sackOK,TS val 2395628971 ecr 3072911437], length 0 Looks good, but: May 7 20:31:09 cobalt kernel: TCP: [XXX.YYY.240.5]:50393 to [XXX.YYY.234.8]:8542 tcpflags 0x10; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) For 1.5 hours: % grep SYNCOOKIE /var/log/messages | wc -l 1727 Any ideas please? -- Sem.