From owner-freebsd-hackers Tue May 7 19:45: 5 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mail.valueclick.com (mail.valueclick.com [216.246.96.51]) by hub.freebsd.org (Postfix) with ESMTP id 6102137B400; Tue, 7 May 2002 19:44:42 -0700 (PDT) Received: from sivka.rdy.com (root@sivka.rdy.com [64.81.70.69]) by mail.valueclick.com (8.11.6/8.11.6) with ESMTP id g482idA12216 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK); Tue, 7 May 2002 19:44:40 -0700 (PDT) (envelope-from dima@rdy.com) Received: from sivka.rdy.com (nobody@localhost [IPv6:::1]) by sivka.rdy.com (8.12.3/8.12.3) with ESMTP id g482icDN029190 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 7 May 2002 19:44:39 -0700 (PDT) (envelope-from dima@rdy.com) Received: (from dima@localhost) by sivka.rdy.com (8.12.3/8.12.3/Submit) id g482ib84029185; Tue, 7 May 2002 19:44:37 -0700 (PDT) (envelope-from dima@rdy.com) X-Authentication-Warning: sivka.rdy.com: dima set sender to dima@rdy.com using -f Date: Tue, 7 May 2002 19:44:37 -0700 From: Dima Ruban To: Patrick Thomas Cc: freebsd-hackers@freebsd.org, Alan.Judge@eircom.net, dima@freebsd.org Subject: Re: syncookies exploit behavior Message-ID: <20020508024437.GA29151@sivka.rdy.com> References: <20020507104534.T63159-100000@utility.clubscholarship.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020507104534.T63159-100000@utility.clubscholarship.com> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I doubt that it's a syncache related. The problem that I've had was quite simple and it's already fixed in both, current and stable. Here's commit log: Modified files: sys/netinet tcp_syncache.c Log: When a duplicate SYN arrives which matches an entry in the syncache, update our lazy reference to the inpcb structure, as it may have changed. It was happening on a busy thttpd server on a thttpd restart. As for your problem, I'd suggest plugging in a serial cable and running remote gdb on kernel. Please note, that you can disable syncookies with sysctl: sivka# sysctl -a | grep cookie net.inet.tcp.syncookies: 1 sivka# On Tue, May 07, 2002 at 10:51:37AM -0700, Patrick Thomas wrote: > > > Two questions regarding the syncookies issue - > > 1. What kind of crash is it ? I have an issue where my machine has no > response at the console, and none of the services work (pop, imap, etc.) > HOWEVER you can still ping it, and you can still initiate connections to > services - they just dont talk or respond at all - and cron jobs no longer > run. Someone suggested that it looks like my userland is frozen, but my > kernel is still running. > > Is that the kind of crash you get when you encounter the syncookies > problem ? > > > 2. Is there any way to scour tcpdump on the _affected_ machine to see if > syncookies was indeed your problem ? This is sort of two questions - > first, will the machine be crashed so fast it won't have time to write > tcpdump output to a file for the packet that caused the crash ? and > second, if it is possible, what would that tcpdump output look like ? > > > I suspect you can't scour tcpdump for it, since this problem can be caused > by legitimate traffic. > > comments appreciated, > > PT --dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message