SYN_RECV question

lists Fri, 6 Aug 1999 15:14:22 -0700
Is it acceptable/expected to be able to have multiple TCP sockets in
SYN_RECV with the exact same set of local IP, local port, remote IP, and
remote port?  In my perhaps limited understanding of TCP, I don't think it
is possible to have multiple active connections in such a state, so why does
Linux allow multiple potential connections to exist in this manner?

This is with Linux i386 version 2.2.5 (gcc version 2.7.2.3) with syncookies
enabled.  My apologies if this has been addressed in a later kernel, but
this is a production server that hasn't been rebooted since April 3rd.

I seem to have 34 exactly duplicate connections from a Windows machine
trying to create an outbound connection using a local port that it can't
receive packets on.  It never seems to give up and try a different port:

tcp        0      0 10.0.1.57:110      10.0.3.132:5000       SYN_RECV    0          on 
(54.02/6)
tcp        0      0 10.0.1.57:110      10.0.3.132:5000       SYN_RECV    0          on 
(30.02/5)
tcp        0      0 10.0.1.57:110      10.0.3.132:5000       SYN_RECV    0          on 
(30.02/5)
tcp        0      0 10.0.1.57:110      10.0.3.132:5000       SYN_RECV    0          on 
(30.02/5)
tcp        0      0 10.0.1.57:110      10.0.3.132:5000       SYN_RECV    0          on 
(30.02/5)
tcp        0      0 10.0.1.57:110      10.0.3.132:5000       SYN_RECV    0          on 
(42949654.98/4)
tcp        0      0 10.0.1.57:110      10.0.3.132:5000       SYN_RECV    0          on 
(42949654.98/4)
tcp        0      0 10.0.1.57:110      10.0.3.132:5000       SYN_RECV    0          on 
(42949654.98/4)
[...]

Tcpdump of traffic creating these:

02:26:18.479203 10.0.3.132.5000 > 10.0.1.57.110: S 60618635:60618635(0) win 8192 <mss 
536,nop,nop,sackOK> (DF) (ttl 116, id 1684)
02:26:18.479304 10.0.1.57.110 > 10.0.3.132.5000: S 1958863693:1958863693(0) ack 
60618636 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 51223)
02:26:18.556508 10.0.2.1 > 10.0.1.57: icmp: host 10.0.3.132 unreachable - admin 
prohibited filter (ttl 245, id 51943)
02:26:24.457839 10.0.3.132.5000 > 10.0.1.57.110: S 60618635:60618635(0) win 8192 <mss 
536,nop,nop,sackOK> (DF) (ttl 116, id 1940)
02:26:24.457929 10.0.1.57.110 > 10.0.3.132.5000: S 1964842322:1964842322(0) ack 
60618636 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 51392)
02:26:24.533527 10.0.2.1 > 10.0.1.57: icmp: host 10.0.3.132 unreachable - admin 
prohibited filter (ttl 245, id 51949)
02:26:36.577186 10.0.3.132.5000 > 10.0.1.57.110: S 60618635:60618635(0) win 8192 <mss 
536,nop,nop,sackOK> (DF) (ttl 116, id 2196)
02:26:36.577265 10.0.1.57.110 > 10.0.3.132.5000: S 1976961663:1976961663(0) ack 
60618636 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 51483)
02:26:36.656954 10.0.2.1 > 10.0.1.57: icmp: host 10.0.3.132 unreachable - admin 
prohibited filter (ttl 245, id 51961)
[...]
02:46:29.841531 10.0.3.132.5000 > 10.0.1.57.110: S 61812177:61812177(0) win 8192 <mss 
536,nop,nop,sackOK> (DF) (ttl 116, id 29077)
02:46:29.841650 10.0.1.57.110 > 10.0.3.132.5000: S 3254112108:3254112108(0) ack 
61812178 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 1143)
02:46:29.928909 10.0.2.1 > 10.0.1.57: icmp: host 10.0.3.132 unreachable - admin 
prohibited filter (ttl 245, id 53051)
[...]

Occasionally Linux retries sending all of the SYNs:

02:28:07.467504 10.0.1.57.110 > 10.0.3.132.5000: S 1190049779:1190049779(0) ack 
59902973 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52554)
02:28:07.467542 10.0.1.57.110 > 10.0.3.132.5000: S 1193007812:1193007812(0) ack 
59902973 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52555)
02:28:07.467566 10.0.1.57.110 > 10.0.3.132.5000: S 1199025107:1199025107(0) ack 
59902973 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52556)
02:28:07.467591 10.0.1.57.110 > 10.0.3.132.5000: S 1211005305:1211005305(0) ack 
59902973 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52557)
02:28:07.467617 10.0.1.57.110 > 10.0.3.132.5000: S 1326027696:1326027696(0) ack 
60022211 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52558)
02:28:07.467643 10.0.1.57.110 > 10.0.3.132.5000: S 1328922738:1328922738(0) ack 
60022211 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52559)
02:28:07.467669 10.0.1.57.110 > 10.0.3.132.5000: S 1334940816:1334940816(0) ack 
60022211 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52560)
02:28:07.467695 10.0.1.57.110 > 10.0.3.132.5000: S 1346948372:1346948372(0) ack 
60022211 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52561)
02:28:07.467721 10.0.1.57.110 > 10.0.3.132.5000: S 1445159181:1445159181(0) ack 
60141436 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52562)
02:28:07.467746 10.0.1.57.110 > 10.0.3.132.5000: S 1448076033:1448076033(0) ack 
60141436 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52563)
02:28:07.467771 10.0.1.57.110 > 10.0.3.132.5000: S 1454080206:1454080206(0) ack 
60141436 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52564)
02:28:07.467796 10.0.1.57.110 > 10.0.3.132.5000: S 1466185822:1466185822(0) ack 
60141436 win 32696 <mss 536,nop,nop,sackOK> (DF) (ttl 64, id 52565)
[...]

(IPs changed to protect the guilty.)

                   Aaron Hopkins
                   Chief Technical Officer
                   Cyberverse, Inc.

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
SYN_RECV question

Reply via email to
