Segment failed SYNCOOKIE?

Andre Oppermann andre at freebsd.org
Mon May 28 15:29:45 UTC 2007


Abdullah Ibn Hamad Al-Marri wrote:
> On 5/26/07, Steve Kargl <sgk at troutmask.apl.washington.edu> wrote:
> 
>> Anyone have ideas on how to cure
>>
>> May 25 16:20:03 node13 kernel: TCP: [192.168.0.15]:53815 to
>> [192.168.0.13]:50992 tcpflags 0x11<FIN,ACK>; syncache_expand:
>> Segment failed SYNCOOKIE authentication
>>
>> The hardware and kernel on 192.168.0.15 and 192.168.0.13
>> are identical.
>>
>> -- 
>> Steve
> 
> 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sat May 26 04:25:29 GMT 2007
> 
> I got the same problem and my sever paniced today.

Please provide the panic message and if available a backtrace for the
panic.  We have to track down the exact cause of it (which may not
necessarily be the syncache).

> TCP: [70.162.96.41]:54686 to [IP removed for security reasons]:59999
> tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE
> authentication

Logging of TCP segment validation failure has recently been enabled
to aid debugging of TCP (interoperability) issues.

This particular message means that a SYN was received on a listen
socket but no matching syncache entry was found.  The second test
for a syncookie also failed.  Normally this means a spoofed packet
or port scan is hitting your machine.  To make this certain you should
answer a couple of questions:  a) What daemon is running on your port
59999?  b) Do you know [70.162.96.41] and does it have any business
in contacting your daemon on 59999?

I agree that the log message should be made more clear to avoid
unnecessary confusion.  Nothing is broken and syncache is doing its
job just fine.

-- 
Andre



More information about the freebsd-current mailing list