From owner-freebsd-net@FreeBSD.ORG Sat Jul 21 22:30:32 2007 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D9B816A558; Sat, 21 Jul 2007 22:30:28 +0000 (UTC) (envelope-from peter@wemm.org) Received: from overcee.wemm.org (unknown [IPv6:2001:5a8:4:2140:21b:fcff:fe24:feef]) by mx1.freebsd.org (Postfix) with ESMTP id E35CB13C469; Sat, 21 Jul 2007 22:30:17 +0000 (UTC) (envelope-from peter@wemm.org) Received: from overcee.wemm.org (localhost [127.0.0.1]) by overcee.wemm.org (8.14.1/8.14.1) with ESMTP id l6LMUCam000665; Sat, 21 Jul 2007 15:30:17 -0700 (PDT) (envelope-from peter@wemm.org) Received: from localhost (localhost [[UNIX: localhost]]) by overcee.wemm.org (8.14.1/8.14.1/Submit) id l6KItiwK014161; Fri, 20 Jul 2007 11:55:44 -0700 (PDT) (envelope-from peter@wemm.org) X-Authentication-Warning: overcee.wemm.org: peter set sender to peter@wemm.org using -f From: Peter Wemm To: freebsd-current@freebsd.org Date: Fri, 20 Jul 2007 11:55:44 -0700 User-Agent: KMail/1.9.6 References: <20070709234401.S29353@odysseus.silby.com> <20070710132253.GJ1038@void.codelabs.ru> <20070710202028.I34890@odysseus.silby.com> In-Reply-To: <20070710202028.I34890@odysseus.silby.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200707201155.44573.peter@wemm.org> Cc: Andre Oppermann , current@freebsd.org, Robert Watson , net@freebsd.org Subject: Re: FreeBSD 7 TCP syncache fix: request for testers X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2007 22:30:32 -0000 On Tuesday 10 July 2007, Mike Silbersack wrote: > On Tue, 10 Jul 2007, Eygene Ryabinkin wrote: > > Can't say that I am pushing much traffic through my box, but after > > applying your patch and rebuilding the kernel I am still seeing the > > messages like > > ----- > > TCP: [209.132.176.NNN]:NNN to [144.206.NNN.NNN]:NNN tcpflags > > 0x19; syncache_expand: Segment failed SYNCOOKIE > > authentication, segment rejected (probably spoofed) TCP: > > [201.90.65.NNN]:NNN to [144.206.NNN.NNN]:NNN; syncache_timer: > > Response timeout ----- > > But what had changed is that the lines with the 'syncache_timer' > > started to appear. There were no such lines prior to the patch, > > only the 'failed SYNCOOKIE' ones. > > The "syncache_timer: Response timeout" message means that the > syncache sent a SYN-ACK response four times, but still didn't receive > a response. This probably means that someone tried using a port > scanner or was going through a faulty firewall. We'll definitely > have to take that log message out before 7.0 is released. > > The fact that you're still getting the syncache_expand message tells > me that there's another bug which I have not yet fixed still present. I get hundreds of these messages within a few hours of boot: [...] TCP: [127.0.0.1]:65491 to [127.0.0.1]:1128 tcpflags 0x10; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) TCP: [127.0.0.1]:64055 to [127.0.0.1]:1128 tcpflags 0x10; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) TCP: [10.0.0.85]:1665 to [10.0.0.3]:139 tcpflags 0x4; tcp_input: Listen socket: Spurious RST, segment rejected TCP: [127.0.0.1]:60995 to [127.0.0.1]:1128 tcpflags 0x10; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) TCP: [10.0.0.84]:56408 to [10.0.0.3]:22 tcpflags 0x10; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) TCP: [127.0.0.1]:53469 to [127.0.0.1]:1128 tcpflags 0x10; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) TCP: [127.0.0.1]:52446 to [127.0.0.1]:1128 tcpflags 0x10; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) [...] How on earth can localhost be spoofing itself? This is getting quite absurd. :-( Port 1128 is an x10 daemon FWIW. There is just one single client, run from cron every few minutes. There is no congestion on the listen socket. It is an extremely quiet and low volume server. I don't have your patch installed, but am just about to. I mentioned it because you commented that this is a different problem below. > My suspicion is that the "Segment failed SYNCOOKIE authentication" > message is the aftereffect of FreeBSD 7 randomly dropping TCP > connections, and not the problem itself. My theory is that the > connection is silently dropped, without the other endpoint knowing. > That other endpoint then sends an ACK packet, which is then believed > to be a syncookie. Since it is not, it obviously fails the > verification. > > Finding that bug is my next goal. > > > But the patch received only half a day of testing, so I will > > continue the tests and will inform you if some other information > > will be available. Up to date I don't see problems that had > > appeared without the patch, but they tend to show up after a > > midnight ;)) > > > > Thank you! > > Thanks for testing, I look forward to hearing how things work for > you. I'll give your patch a shot and see if it improves things at all. -- Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com "All of this is for nothing if we don't go to the stars" - JMS/B5