From owner-freebsd-current@FreeBSD.ORG Mon May 28 22:10:34 2007 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B6C3016A517 for ; Mon, 28 May 2007 22:10:34 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id 293E413C457 for ; Mon, 28 May 2007 22:10:33 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so529057anc for ; Mon, 28 May 2007 15:10:32 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=aWtx2CL8845c4yHhcVlSHu3kI5FHOfJelbzEVSFt/lcGrzD1+nYd+Rx/2FiqiHkwE34P+1d1OqD01ZDy9TLYJ4FnZW/aXLIDP9Ol2vxeHzxJZk/s1TSiPAQ3VqxczB1lmEv480sxw1/pE3nou3bDslaUzkekfH3PmpgDBNY2kmg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=eYfXSaqeE6bxiL7/tvTBxl44PyAYGHA0xJbYy/PA7oUwtbbdvf2ntNy3fGuOUaYO14vbT+U2vg9gfwjzFXmvbUP9cFkCE+pd/kP6XTyPTl+pg8NzegASzy3Mnh+wiPWCDXc42X7313bow9DJ+U5J+Fv4qg0LqpBMje6K+GUyc/I= Received: by 10.100.135.16 with SMTP id i16mr4739250and.1180390231823; Mon, 28 May 2007 15:10:31 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Mon, 28 May 2007 15:10:31 -0700 (PDT) Message-ID: <499c70c0705281510m2984ec1bv94fa869d6dcaa603@mail.gmail.com> Date: Tue, 29 May 2007 01:10:31 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "Andre Oppermann" In-Reply-To: <465B29C1.8060109@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070525234115.GA48789@troutmask.apl.washington.edu> <499c70c0705261245k6679a12k5a0237fce786ab68@mail.gmail.com> <465AF567.6020708@freebsd.org> <499c70c0705281029o3d32c2c4k9b7467dc11e24c86@mail.gmail.com> <465B29C1.8060109@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: Segment failed SYNCOOKIE? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2007 22:10:34 -0000 On 5/28/07, Andre Oppermann wrote: > Abdullah Ibn Hamad Al-Marri wrote: > > On 5/28/07, Andre Oppermann wrote: > >> Abdullah Ibn Hamad Al-Marri wrote: > >> > On 5/26/07, Steve Kargl wrote: > >> > > >> >> Anyone have ideas on how to cure > >> >> > >> >> May 25 16:20:03 node13 kernel: TCP: [192.168.0.15]:53815 to > >> >> [192.168.0.13]:50992 tcpflags 0x11; syncache_expand: > >> >> Segment failed SYNCOOKIE authentication > >> >> > >> >> The hardware and kernel on 192.168.0.15 and 192.168.0.13 > >> >> are identical. > >> >> > >> >> -- > >> >> Steve > >> > > >> > 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sat May 26 04:25:29 GMT 2007 > >> > > >> > I got the same problem and my sever paniced today. > >> > >> Please provide the panic message and if available a backtrace for the > >> panic. We have to track down the exact cause of it (which may not > >> necessarily be the syncache). > >> > >> > TCP: [70.162.96.41]:54686 to [IP removed for security reasons]:59999 > >> > tcpflags 0x18; syncache_expand: Segment failed SYNCOOKIE > >> > authentication > >> > >> Logging of TCP segment validation failure has recently been enabled > >> to aid debugging of TCP (interoperability) issues. > >> > >> This particular message means that a SYN was received on a listen > >> socket but no matching syncache entry was found. The second test > >> for a syncookie also failed. Normally this means a spoofed packet > >> or port scan is hitting your machine. To make this certain you should > >> answer a couple of questions: a) What daemon is running on your port > >> 59999? b) Do you know [70.162.96.41] and does it have any business > >> in contacting your daemon on 59999? > >> > >> I agree that the log message should be made more clear to avoid > >> unnecessary confusion. Nothing is broken and syncache is doing its > >> job just fine. > >> > >> -- > >> Andre > > > > Hello Andre, > > > > Thanks for looking into this issue. > > You're always welcome. > > > The server IP isn't known by anyone, just me and my friend, and yes I > > know 70.162.96.41 which is his IP in a Linux box which runs distro > > Ubuntu. > > Please obtain the exact version number of the Linux kernel that is > running on your friends box on 70.162.96.41. This will help me to > track down the source of the problem and which OS gets it wrong. I'll ask him when he comes online > > > I run sshd in 59999, and we were both connected to it, then it died. > > The connection or sshd itself? sshd accepts connections on port 59999 to avoid ssh attempt sin default port. > > > This is a server, so I removed the debug options to not slow it down. > > We have to track down the cause of the panic and it would really > help if you could find a way to reproduce it. To see the real source > of the panic you need a kernel with these options present: > > options KDB # Enable kernel debugger support. > options DDB # Support DDB. > > With these options you drop into the kernel debugger when a panic > happens. Once there you have to type "trace" to get a backtrace. > Either transcribe it by hand or take a picture with a digicam and > make it available for download somewhere (please don't send it by > email, picture attachments are filtered). A serial console would > be even better as you can simply copy-paste it from another machine. > After transcribing the backtrace you can type "reset" to reboot. This is a server I manage via sshd, no phiscal access to it, so how can I catch the panic trace? log as su and keep my connection alive? if I can get the panic, I'll be able to copy & paste it easily via the kssh client. > > > If you think port scan could crash 7.0-CURRENT, Can you run nmap and > > test it 7.0-CURRENT? > > A port scan should not be able to crash FreeBSD. > > > Do you think disabeling syncache would prevent my box against the same > > panic again? > > Syncache can't be disabled. Only syncookies can be disabled but that > won't really help as you simple get a different error. > > A few hours ago I've committed a reworked tcp_input() SYN processing > section that'll either fix you issue or expose a more detailed error > message. > > -- > Andre I'll csup and compile the kernel with options KDB # Enable kernel debugger support. options DDB # Support DDB. Per your request once my box comes onlines. :) -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/