[Gllug] One for the security gurus
Alex Hudson
home at alexhudson.com
Wed Sep 19 20:45:07 UTC 2001
On Wednesday 19 September 2001 20:03, you wrote:
> I am observing something I don´t like in my syslog.
>
> kernel: Undo D-SACK 63.146.109.200/80 c2 10 ss2/65535 p0
>
> Am I wrong or this is not good ?
Doesn't look un-good.
Do you compile your own kernels? I presume so, because you have debugging
enabled. The message is saying that your kernel was a little to aggressive
fighting congestion - check tcp_try_undo_dsack. You have at least
FASTRETRANS_DEBUG defined, if not more.
I wouldn't compile a kernel with debugging info enabled; most of it is pretty
useless unless you're actively following up a problem.
> For what I can assume is something to do with ss2 trying to access a web
> server, I am running squid, so nobody should be doing that. Or even trying
> to contact my port 80.
You're trying to contact _their_ port 80, surely? If not, could you give us
some more information on what that IP address means (if anything) to you?
BTW - I know ss2/65535 looks like part of a tcp connection tuple; it's not.
First clue is that the name is not fully qualified - if it was part of a
connection tuple, that would make it a local machine. Simple inspection then
says it's unlikely to be another machine. Second clue - the ss is a prefix,
and the values (2/65535, both magical) are actually tcp_opt->snd_ssthresh and
tcp_opt->prior_ssthresh - i.e., watermarks (not worth explaining :).
Don't worry about it, and install a standard kernel for goodness' sakes ;)
Cheers,
Alex.
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list