Robert Watson wrote:
On Tue, 10 Jul 2007, Mike Silbersack wrote:
On Tue, 10 Jul 2007, Eygene Ryabinkin wrote:
Can't say that I am pushing much traffic through my box, but after
applying your patch and rebuilding the kernel I am still seeing the
messages like ----- TCP: [209.132.176.NNN]:NNN to
[144.206.NNN.NNN]:NNN tcpflags 0x19<FIN,PUSH,ACK>; syncache_expand:
Segment failed SYNCOOKIE authentication, segment rejected (probably
spoofed) TCP: [201.90.65.NNN]:NNN to [144.206.NNN.NNN]:NNN;
syncache_timer: Response timeout ----- But what had changed is that
the lines with the 'syncache_timer' started to appear. There were no
such lines prior to the patch, only the 'failed SYNCOOKIE' ones.
The "syncache_timer: Response timeout" message means that the syncache
sent a SYN-ACK response four times, but still didn't receive a
response. This probably means that someone tried using a port scanner
or was going through a faulty firewall. We'll definitely have to take
that log message out before 7.0 is released.
As I mentioned to Andre before he committed the log message support,
there needs to be an administrative twiddle for it, and pretty much all
need to either be rate-limited or turned off by default when we get to
the release. Otherwise they make very easy DoS opportunities, especially
for systems with serial consoles.
Yes, I'm aware of that and will provide an appropriate patch shortly.
--
Andre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
