From toor@itga.com.au  Tue Sep 24 20:20:55 2002
Return-Path: <toor@itga.com.au>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 384FD37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 24 Sep 2002 20:20:55 -0700 (PDT)
Received: from ns.itga.com.au (ns.itga.com.au [202.53.40.210])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 14FF443E77
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 24 Sep 2002 20:20:54 -0700 (PDT)
	(envelope-from toor@itga.com.au)
Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20])
	by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id NAA53812
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 25 Sep 2002 13:20:53 +1000 (EST)
	(envelope-from toor@itga.com.au)
Received: from grollo.itga.com.au (grollo.itga.com.au [192.168.71.140])
	by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id NAA23677;
	Wed, 25 Sep 2002 13:20:52 +1000 (EST)
Received: from grollo.itga.com.au (localhost [127.0.0.1])
	by grollo.itga.com.au (8.12.6/8.11.6) with ESMTP id g8P3Kqcs073392
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 25 Sep 2002 13:20:52 +1000 (EST)
	(envelope-from toor@grollo.itga.com.au)
Received: (from root@localhost)
	by grollo.itga.com.au (8.12.6/8.12.6/Submit) id g8P3Kq9E073391;
	Wed, 25 Sep 2002 13:20:52 +1000 (EST)
Message-Id: <200209250320.g8P3Kq9E073391@grollo.itga.com.au>
Date: Wed, 25 Sep 2002 13:20:52 +1000 (EST)
From: Gregory Bond <gnb@itga.com.au>
To: FreeBSD-gnats-submit@freebsd.org
Subject: PATCH: make tcp.log_in_vain distinguish SYN from SYN-ACK
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         43348
>Category:       kern
>Synopsis:       PATCH: make tcp.log_in_vain distinguish SYN from SYN-ACK
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    cjc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 24 20:30:01 PDT 2002
>Closed-Date:    Tue May 20 21:47:59 PDT 2003
>Last-Modified:  Tue May 20 21:47:59 PDT 2003
>Originator:     Gregory Bond
>Release:        FreeBSD 4.7-PRERELEASE i386
>Organization:
ITG Australia Ltd
>Environment:
System: FreeBSD grollo.itga.com.au 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #13: Tue Sep 10 17:23:35 EST 2002 toor@grollo.itga.com.au:/usr/obj/usr/src/sys/GROLLO i386

>Description:

The tcp.log_in_vain sysctl sends a kernel log message whenever an
incoming TCP packet is received but where there is no waiting socket
to receive it.  Setting log_in_vain to 1 will only log SYN (i.e.
connection setup) packets, which are often caused by someone trying
to portscan your box.

However, there are sometimes cases where the incoming orphaned SYN
packet is quite valid, and not caused by portscanning at all.  If
a program on this box (or a NAT'd connection from this box on behalf
of an internal host) is trying to connect to a service (e.g. web
server or mail server) on a remote machine that has a very slow
network connection, this system will send out a TCP SYN packet, but
not get anything back straight away.  The user (or the program) may
then give up, which will remove the waiting socket.  Eventually,   
the remote site responds with a TCP SYN-ACK packet, but the log_in_vain   
code logs this as a SYN packet and it is easily mistaken for a
portscan.  (You can't rely on the dest port=25/80 to disambiguate, as 
many port scans are done using these ports as the remote source port  
to try and get around naive firewall rules.)

The attached patch makes log_in_vain=3 behave the same was as
log_in_vain=1 except for the case of an orphaned incoming SYN-ACK
packet, which is specially flagged in the log message.  This helps 
to disambiguate real port scans from the case of late SYN-ACKs from
slow hosts.

[Another possibility is to make log_in_vain=3 ignore SYN-ACK packets,
or just make log_in_vain=1 ignore them.  I chose the current 
arrangement as having least backwards-compatibility impact.  I leave 
that up to TPTB to decide which is the best solution!]

>How-To-Repeat:
        sysctl -w net.inet.tcp.log_in_vain=1

        Try to connect to slow external servers.
        Watch for occasional log messages that mistakenly imply the
        remote host is portscanning you.

>Fix:


--- log_in_vain.diffs2 begins here ---
Index: share/man/man4/tcp.4
===================================================================
RCS file: /usr/ncvs/src/share/man/man4/tcp.4,v
retrieving revision 1.11.2.12
diff -u -r1.11.2.12 tcp.4
--- share/man/man4/tcp.4	29 Aug 2002 21:29:10 -0000	1.11.2.12
+++ share/man/man4/tcp.4	25 Sep 2002 01:28:47 -0000
@@ -219,8 +219,12 @@
 The value of 1 limits the logging to SYN (connection establishment)
 packets only.
 That of 2 results in any TCP packets to closed ports being logged.
+That of 3 is similar to 1 in that it only logs SYN packets, but it
+also notes when a packet is a SYN-ACK packet (which is usually the result
+of an outgoing connection being closed early, 
+rather than an incoming port scan.)
+The default value is 0 (i.e., the logging is disabled.)
 Any value unlisted above disables the logging
-(default is 0, i.e., the logging is disabled).
 .It tcp.slowstart_flightsize
 The number of packets allowed to be in-flight during the
 .Tn TCP
Index: sys/netinet/tcp_input.c
===================================================================
RCS file: /usr/ncvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.107.2.30
diff -u -r1.107.2.30 tcp_input.c
--- sys/netinet/tcp_input.c	3 Sep 2002 22:32:47 -0000	1.107.2.30
+++ sys/netinet/tcp_input.c	10 Sep 2002 05:01:27 -0000
@@ -596,12 +596,14 @@
 #endif /* INET6 */
 			switch (log_in_vain) {
 			case 1:
+			case 3:
 				if(thflags & TH_SYN)
 					log(LOG_INFO,
-			    		"Connection attempt to TCP %s:%d from %s:%d\n",
+			    		"Connection attempt to TCP %s:%d from %s:%d%s\n",
 			    		dbuf, ntohs(th->th_dport),
 					sbuf,
-					ntohs(th->th_sport));
+					ntohs(th->th_sport),
+					log_in_vain == 3 && thflags & TH_ACK ? " (SYN-ACK)" : "");
 				break;
 			case 2:
 				log(LOG_INFO,
--- log_in_vain.diffs2 ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->silby 
Responsible-Changed-By: silby 
Responsible-Changed-When: Fri Jan 24 16:56:20 PST 2003 
Responsible-Changed-Why:  
Ok, I'll take a stab at this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43348 
Responsible-Changed-From-To: silby->cjc 
Responsible-Changed-By: cjc 
Responsible-Changed-When: Wed Jan 29 21:01:15 PST 2003 
Responsible-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=43348 

From: "Crist J. Clark" <crist.clark@attbi.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/43348: PATCH: make tcp.log_in_vain distinguish SYN from SYN-ACK
Date: Wed, 29 Jan 2003 21:05:36 -0800

 Grrr... This is the mail that lead to me stealing this bug. silby and
 the submitter both like this solution.
 
 ----- Forwarded message from "Crist J. Clark" <crist.clark@attbi.com> -----
 
 Date: Mon, 27 Jan 2003 22:13:13 -0800
 From: "Crist J. Clark" <crist.clark@attbi.com>
 To: Mike Silbersack <silby@FreeBSD.org>
 Cc: freebsd-bugs@FreeBSD.org, Gregory Bond <gnb@itga.com.au>
 Subject: Re: kern/43348: PATCH: make tcp.log_in_vain distinguish SYN from SYN-ACK
 Reply-To: "Crist J. Clark" <cjc@freebsd.org>
 In-Reply-To: <200301250056.h0P0uZqq062114@freefall.freebsd.org>
 User-Agent: Mutt/1.4i
 X-URL: http://people.freebsd.org/~cjc/
 
 On Fri, Jan 24, 2003 at 04:56:35PM -0800, Mike Silbersack wrote:
 > Synopsis: PATCH: make tcp.log_in_vain distinguish SYN from SYN-ACK
 > 
 > Responsible-Changed-From-To: freebsd-bugs->silby
 > Responsible-Changed-By: silby
 > Responsible-Changed-When: Fri Jan 24 16:56:20 PST 2003
 > Responsible-Changed-Why: 
 > Ok, I'll take a stab at this.
 
 Wouldn't it be easier just to add the TCP flags of the offending
 packet to the log entry like we do for 2?
 
 Index: /export/freebsd/CURRENT/src/sys/netinet/tcp_input.c
 ===================================================================
 RCS file: /export/freebsd/ncvs/src/sys/netinet/tcp_input.c,v
 retrieving revision 1.187
 diff -u -r1.187 tcp_input.c
 --- /export/freebsd/CURRENT/src/sys/netinet/tcp_input.c	13 Jan 2003 11:01:19 -0000	1.187
 +++ /export/freebsd/CURRENT/src/sys/netinet/tcp_input.c	28 Jan 2003 06:10:59 -0000
 @@ -608,9 +608,9 @@
  				if (thflags & TH_SYN)
  					log(LOG_INFO,
  					    "Connection attempt to TCP %s:%d "
 -					    "from %s:%d\n",
 +					    "from %s:%d flags: 0x%02x\n",
  					    dbuf, ntohs(th->th_dport), sbuf,
 -					    ntohs(th->th_sport));
 +					    ntohs(th->th_sport), thflags);
  				break;
  			case 2:
  				log(LOG_INFO,
 
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
 
 ----- End forwarded message -----
 
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
State-Changed-From-To: open->patched 
State-Changed-By: cjc 
State-Changed-When: Mon Feb 3 21:00:56 PST 2003 
State-Changed-Why:  
Committed to CURRENT. Will MFC to STABLE later this week. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43348 
State-Changed-From-To: patched->closed 
State-Changed-By: cjc 
State-Changed-When: Tue May 20 21:47:31 PDT 2003 
State-Changed-Why:  
MFC'ed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43348 
>Unformatted:
