lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1432707139.4060.351.camel@edumazet-glaptop2.roam.corp.google.com>
Date:	Tue, 26 May 2015 23:12:19 -0700
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Gopakumar Choorakkot Edakkunni <gopakumar.c.e@...il.com>
Cc:	netdev@...r.kernel.org
Subject: Re: Bug in tcp timestamp option ? TSecr in SYN-ACK != TSval in SYN

On Tue, 2015-05-26 at 22:47 -0700, Gopakumar Choorakkot Edakkunni wrote:
> All,
> 
> The original query I had posted is here :
> http://stackoverflow.com/questions/30414350/tcp-syn-ack-tsecr-not-matching-tsval-in-syn
> .. The summary is that once in a while, the TSval in SYN is not what
> is getting echoed in TSecr, and looks like something on amazon aws
> side is very strict about that and drops those packets. Any clues on
> this - whether its a known issue/fixed elsewhere etc. would be of
> great help.

I guess that if you send SYN packets 3 times as your email did on
netdev, that might cause some issues...

More seriously, server has a SYN_RECV socket with same tuple, because of
a SYN sent earlier :

8:36:00.593136 IP XX.YY.ZZ.VV.24548 > AA.BB.CC.DD.443: Flags [S], seq
1204544933, win 29200, options [mss 1320,sackOK,TS val 6032576 ecr
0,nop,wscale 7], length 0

18:36:00.593171 IP AA.BB.CC.DD.443 > XX.YY.ZZ.VV.24548: Flags [S.], seq
986069863, ack 1204544934, win 14480, options [mss 1460,sackOK,TS val
180940028 ecr 6001497,nop,wscale 5], length 0

18:36:00.992699 IP AA.BB.CC.DD.443 > XX.YY.ZZ.VV.24548: Flags [S.], seq
986069863, ack 1204544934, win 14480, options [mss 1460,sackOK,TS val
180940128 ecr 6001497,nop,wscale 5], length 0


>From these traces, we can guess a SYN packet was sent about 31 seconds
earlier.

SYNACK rtx do not update the TSECR : Initial SYN TSval value (6001497)
is mirrored.

Are you establishing many active sessions per minute to this particular
target ?


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ