Segment failed SYNCOOKIE?
andre at freebsd.org
Mon May 28 15:29:45 UTC 2007
Abdullah Ibn Hamad Al-Marri wrote:
> On 5/26/07, Steve Kargl <sgk at troutmask.apl.washington.edu> wrote:
>> Anyone have ideas on how to cure
>> May 25 16:20:03 node13 kernel: TCP: [192.168.0.15]:53815 to
>> [192.168.0.13]:50992 tcpflags 0x11<FIN,ACK>; syncache_expand:
>> Segment failed SYNCOOKIE authentication
>> The hardware and kernel on 192.168.0.15 and 192.168.0.13
>> are identical.
> 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sat May 26 04:25:29 GMT 2007
> I got the same problem and my sever paniced today.
Please provide the panic message and if available a backtrace for the
panic. We have to track down the exact cause of it (which may not
necessarily be the syncache).
> TCP: [220.127.116.11]:54686 to [IP removed for security reasons]:59999
> tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE
Logging of TCP segment validation failure has recently been enabled
to aid debugging of TCP (interoperability) issues.
This particular message means that a SYN was received on a listen
socket but no matching syncache entry was found. The second test
for a syncookie also failed. Normally this means a spoofed packet
or port scan is hitting your machine. To make this certain you should
answer a couple of questions: a) What daemon is running on your port
59999? b) Do you know [18.104.22.168] and does it have any business
in contacting your daemon on 59999?
I agree that the log message should be made more clear to avoid
unnecessary confusion. Nothing is broken and syncache is doing its
job just fine.
More information about the freebsd-current