From owner-freebsd-current@FreeBSD.ORG Wed Jul 11 12:08:15 2007 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 993C816A469; Wed, 11 Jul 2007 12:08:15 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 6872D13C4BC; Wed, 11 Jul 2007 12:08:15 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 1583F46E5E; Wed, 11 Jul 2007 08:08:15 -0400 (EDT) Date: Wed, 11 Jul 2007 13:08:15 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Mike Silbersack In-Reply-To: <20070710202028.I34890@odysseus.silby.com> Message-ID: <20070711130719.S68820@fledge.watson.org> References: <20070709234401.S29353@odysseus.silby.com> <20070710132253.GJ1038@void.codelabs.ru> <20070710202028.I34890@odysseus.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Andre Oppermann , current@freebsd.org, net@freebsd.org Subject: Re: FreeBSD 7 TCP syncache fix: request for testers X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jul 2007 12:08:15 -0000 On Tue, 10 Jul 2007, Mike Silbersack wrote: > On Tue, 10 Jul 2007, Eygene Ryabinkin wrote: > >> Can't say that I am pushing much traffic through my box, but after applying >> your patch and rebuilding the kernel I am still seeing the messages like >> ----- TCP: [209.132.176.NNN]:NNN to [144.206.NNN.NNN]:NNN tcpflags >> 0x19; syncache_expand: Segment failed SYNCOOKIE >> authentication, segment rejected (probably spoofed) TCP: >> [201.90.65.NNN]:NNN to [144.206.NNN.NNN]:NNN; syncache_timer: Response >> timeout ----- But what had changed is that the lines with the >> 'syncache_timer' started to appear. There were no such lines prior to the >> patch, only the 'failed SYNCOOKIE' ones. > > The "syncache_timer: Response timeout" message means that the syncache sent > a SYN-ACK response four times, but still didn't receive a response. This > probably means that someone tried using a port scanner or was going through > a faulty firewall. We'll definitely have to take that log message out > before 7.0 is released. As I mentioned to Andre before he committed the log message support, there needs to be an administrative twiddle for it, and pretty much all need to either be rate-limited or turned off by default when we get to the release. Otherwise they make very easy DoS opportunities, especially for systems with serial consoles. Robert N M Watson Computer Laboratory University of Cambridge