From owner-freebsd-current@FreeBSD.ORG Wed Jul 11 23:35:12 2007 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B61FF16A421 for ; Wed, 11 Jul 2007 23:35:12 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id 2A7A113C44B for ; Wed, 11 Jul 2007 23:35:11 +0000 (UTC) (envelope-from andre@freebsd.org) Received: (qmail 48603 invoked from network); 11 Jul 2007 23:06:25 -0000 Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 11 Jul 2007 23:06:25 -0000 Message-ID: <469562F9.4060700@freebsd.org> Date: Thu, 12 Jul 2007 01:08:41 +0200 From: Andre Oppermann User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) MIME-Version: 1.0 To: Robert Watson References: <20070709234401.S29353@odysseus.silby.com> <20070710132253.GJ1038@void.codelabs.ru> <20070710202028.I34890@odysseus.silby.com> <20070711130719.S68820@fledge.watson.org> In-Reply-To: <20070711130719.S68820@fledge.watson.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Mike Silbersack , current@freebsd.org, net@freebsd.org Subject: Re: FreeBSD 7 TCP syncache fix: request for testers X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jul 2007 23:35:12 -0000 Robert Watson wrote: > On Tue, 10 Jul 2007, Mike Silbersack wrote: > >> On Tue, 10 Jul 2007, Eygene Ryabinkin wrote: >> >>> Can't say that I am pushing much traffic through my box, but after >>> applying your patch and rebuilding the kernel I am still seeing the >>> messages like ----- TCP: [209.132.176.NNN]:NNN to >>> [144.206.NNN.NNN]:NNN tcpflags 0x19; syncache_expand: >>> Segment failed SYNCOOKIE authentication, segment rejected (probably >>> spoofed) TCP: [201.90.65.NNN]:NNN to [144.206.NNN.NNN]:NNN; >>> syncache_timer: Response timeout ----- But what had changed is that >>> the lines with the 'syncache_timer' started to appear. There were no >>> such lines prior to the patch, only the 'failed SYNCOOKIE' ones. >> >> The "syncache_timer: Response timeout" message means that the syncache >> sent a SYN-ACK response four times, but still didn't receive a >> response. This probably means that someone tried using a port scanner >> or was going through a faulty firewall. We'll definitely have to take >> that log message out before 7.0 is released. > > As I mentioned to Andre before he committed the log message support, > there needs to be an administrative twiddle for it, and pretty much all > need to either be rate-limited or turned off by default when we get to > the release. Otherwise they make very easy DoS opportunities, especially > for systems with serial consoles. Yes, I'm aware of that and will provide an appropriate patch shortly. -- Andre