Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 7 May 2002 19:44:37 -0700
From:      Dima Ruban <dima@rdy.com>
To:        Patrick Thomas <root@utility.clubscholarship.com>
Cc:        freebsd-hackers@freebsd.org, Alan.Judge@eircom.net, dima@freebsd.org
Subject:   Re: syncookies exploit behavior
Message-ID:  <20020508024437.GA29151@sivka.rdy.com>
In-Reply-To: <20020507104534.T63159-100000@utility.clubscholarship.com>
References:  <20020507104534.T63159-100000@utility.clubscholarship.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

I doubt that it's a syncache related. The problem that I've had was quite
simple and it's already fixed in both, current and stable.
Here's commit log:
  Modified files:
    sys/netinet          tcp_syncache.c
  Log:
  When a duplicate SYN arrives which matches an entry in the syncache,
  update our lazy reference to the inpcb structure, as it may have changed.

It was happening on a busy thttpd server on a thttpd restart.

As for your problem, I'd suggest plugging in a serial cable and running remote
gdb on kernel. Please note, that you can disable syncookies with sysctl:
sivka# sysctl -a | grep cookie
net.inet.tcp.syncookies: 1
sivka# 

On Tue, May 07, 2002 at 10:51:37AM -0700, Patrick Thomas wrote:
> 
> 
> Two questions regarding the syncookies issue -
> 
> 1. What kind of crash is it ?  I have an issue where my machine has no
> response at the console, and none of the services work (pop, imap, etc.)
> HOWEVER you can still ping it, and you can still initiate connections to
> services - they just dont talk or respond at all - and cron jobs no longer
> run.  Someone suggested that it looks like my userland is frozen, but my
> kernel is still running.
> 
> Is that the kind of crash you get when you encounter the syncookies
> problem ?
> 
> 
> 2. Is there any way to scour tcpdump on the _affected_ machine to see if
> syncookies was indeed your problem ?  This is sort of two questions -
> first, will the machine be crashed so fast it won't have time to write
> tcpdump output to a file for the packet that caused the crash ?  and
> second, if it is possible, what would that tcpdump output look like ?
> 
> 
> I suspect you can't scour tcpdump for it, since this problem can be caused
> by legitimate traffic.
> 
> comments appreciated,
> 
> PT

--dima

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020508024437.GA29151>