On Tue, 10 Jul 2007, Mike Silbersack wrote:
On Tue, 10 Jul 2007, Eygene Ryabinkin wrote:
Can't say that I am pushing much traffic through my box, but after applying
your patch and rebuilding the kernel I am still seeing the messages like
----- TCP: [209.132.176.NNN]:NNN to [144.206.NNN.NNN]:NNN tcpflags
0x19<FIN,PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE
authentication, segment rejected (probably spoofed) TCP:
[201.90.65.NNN]:NNN to [144.206.NNN.NNN]:NNN; syncache_timer: Response
timeout ----- But what had changed is that the lines with the
'syncache_timer' started to appear. There were no such lines prior to the
patch, only the 'failed SYNCOOKIE' ones.
The "syncache_timer: Response timeout" message means that the syncache sent
a SYN-ACK response four times, but still didn't receive a response. This
probably means that someone tried using a port scanner or was going through
a faulty firewall. We'll definitely have to take that log message out
before 7.0 is released.
As I mentioned to Andre before he committed the log message support, there
needs to be an administrative twiddle for it, and pretty much all need to
either be rate-limited or turned off by default when we get to the release.
Otherwise they make very easy DoS opportunities, especially for systems with
serial consoles.
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
