SYNCOOKIE authentication problems

Steve Kargl sgk at troutmask.apl.washington.edu
Fri Jun 29 16:33:31 UTC 2007


On Fri, Jun 29, 2007 at 11:51:40AM +0100, David Malone wrote:
> On Wed, Jun 27, 2007 at 06:43:11PM -0700, Steve Kargl wrote:
> > Any advice on how to isolate or avoid?
> > 
> > Jun 27 18:31:19 node11 kernel: TCP: [192.168.0.11]:59661 to 
> > [192.168.0.11]:63266 tcpflags 0x10<ACK>; syncache_expand: Segment failed
> > SYNCOOKIE authentication, segment rejected (probably spoofed)
> 
> It looks like you tried to open a TCP connection to yourself, but
> the connection failed. You could try leaving a tcpdump running:
> 
> 	tcpdump -i whatever_interface -w /tmp/synfinrstdata -s 1500 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0'
> 
> while your MPI app runs and then we can have a look at the packets
> that caused the problem. The above should collect all TCP SYN, FIN
> and RST packets, which would probably be enough to diagnose the
> problem.
> 

I placed synfinrstdata.gz at

http://troutmask.apl.washington.edu/~kargl/synfinrstdata.gz

The following were in /var/log/messages

Jun 29 09:21:58 node11 kernel: TCP: [192.168.0.12]:54528 to [192.168.0.11]:52690 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
Jun 29 09:22:01 node11 kernel: TCP: [192.168.0.15]:62391 to [192.168.0.11]:60621 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
Jun 29 09:26:43 node11 kernel: TCP: [192.168.0.11]:59578 to [192.168.0.11]:53378 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)
Jun 29 09:27:51 node11 kernel: bge0: promiscuous mode disabled
Jun 29 09:28:05 node11 kernel: TCP: [192.168.0.11]:64006 to [192.168.0.11]:53378 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)


-- 
Steve


More information about the freebsd-current mailing list