| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0707291922370.11113@kivilampi-30.cs.helsinki.fi> Date: Sun, 29 Jul 2007 19:28:09 +0300 (EEST) From: "Ilpo Järvinen" <ilpo.jarvinen@...sinki.fi> To: Willy Tarreau <w@....eu> cc: "Ilpo Järvinen" <ilpo.jarvinen@...sinki.fi>, "Darryl L. Miles" <darryl-mailinglists@...bauds.net>, linux-kernel@...r.kernel.org, Netdev <netdev@...r.kernel.org> Subject: Re: TCP SACK issue, hung connection, tcpdump included On Sun, 29 Jul 2007, Willy Tarreau wrote: > On Sun, Jul 29, 2007 at 12:28:04PM +0300, Ilpo Järvinen wrote: > > > [...snip...] > > > > > BTW, some information are missing. It would have been better if the trace > > > had been read with tcpdump -Svv. We would have got seq numbers and ttl. > > > Also, we do not know if there's a firewall between both sides. Sometimes, > > > some IDS identify attacks in crypted traffic and kill connections. It > > > might have been the case here, with the connection closed one way on an > > > intermediate firewall. > > > > Yeah, firewall or some other issue, I'd say it's quite unlikely a bug in > > TCP because behavior to both directions indicate client -> sender > > blackhole independently of each other... > > It would also be possible that something stupid between both ends simply > drops packets with the SACK option set. Also something which sometimes > happen is that some firewalls automatically translate sequence numbers > but not necessarily SACK values, which could pretty well lead to this > packet being received but ignored on the server side. ...One can toggle those off with /proc/sys/net/ipv4/tcp_dsack but I suspect DSACKs are not the cause because these retransmissions neither are making it through (there are many of them also earlier in the log, just quoted the easiest ones :-) ): > > > > 09:36:44.335591 IP CLIENT.50727 > SERVER.ssh: P 2991:3039(48) ack 18464 win > > > > 378 <nop,nop,timestamp 800227942 7692910> > > > > 09:38:44.351950 IP CLIENT.50727 > SERVER.ssh: P 2991:3039(48) ack 18464 win > > > > 378 <nop,nop,timestamp 800257942 7692910> > > > > 09:40:44.368172 IP CLIENT.50727 > SERVER.ssh: P 2991:3039(48) ack 18464 win > > > > 378 <nop,nop,timestamp 800287943 7692910> ...there are no SACKs involved in them, yet no cumulative ACK ever arrives from SERVER... -- i.
Powered by blists - more mailing lists