# Question regarding syncache & syncookie



## benpptung (Nov 13, 2010)

My box (xxx.xxx.xxx.xxx) have recieved thousands of the following messages in couple hours.
What does this mean?

I've done some study ( sorry I am a newbie, if I raise stupid question) to understand what
 does the message mean, and would like somebody help me if I am wrong. I made the guess 
according to the explanation link here Kernal Interface manual of FreeBSD syncache

"Does this mean somebody in China send ACK packet to me, since my firewall allow 
port 22 incoming packets, the packet pass through firewall, but my box cannot find initial 
SYN in syncache, so syncookie take care of the connection, then something happened and 
failed. At last, log the message?"​
Is this a DoS-like attack? or something doesn't matter, just because log_in_vain will log everything, I got a lot of noise. ( I've also found post here FBSD7 network noise )

So, what does this mean? what should I do? 

Thanks.


```
Nov 13 07:50:04 app1-101 kernel: TCP: [119.254.12.34]:38931 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:08 app1-101 kernel: TCP: [119.254.12.34]:39496 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:09 app1-101 kernel: TCP: [119.254.12.34]:39496 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:13 app1-101 kernel: TCP: [119.254.12.34]:40052 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:19 app1-101 kernel: TCP: [119.254.12.34]:40601 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:19 app1-101 kernel: TCP: [119.254.12.34]:40601 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:28 app1-101 kernel: TCP: [119.254.12.34]:41587 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:28 app1-101 kernel: TCP: [119.254.12.34]:41587 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:33 app1-101 kernel: TCP: [119.254.12.34]:42149 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:33 app1-101 kernel: TCP: [119.254.12.34]:42149 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:38 app1-101 kernel: TCP: [119.254.12.34]:42693 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:39 app1-101 kernel: TCP: [119.254.12.34]:42693 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:43 app1-101 kernel: TCP: [119.254.12.34]:43246 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:44 app1-101 kernel: TCP: [119.254.12.34]:43246 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:48 app1-101 kernel: TCP: [119.254.12.34]:43793 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:49 app1-101 kernel: TCP: [119.254.12.34]:43793 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:53 app1-101 kernel: TCP: [119.254.12.34]:44342 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:50:54 app1-101 kernel: TCP: [119.254.12.34]:44342 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:03 app1-101 kernel: TCP: [119.254.12.34]:45357 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:03 app1-101 kernel: TCP: [119.254.12.34]:45357 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:08 app1-101 kernel: TCP: [119.254.12.34]:40786 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:08 app1-101 kernel: TCP: [119.254.12.34]:40786 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:13 app1-101 kernel: TCP: [119.254.12.34]:41341 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:13 app1-101 kernel: TCP: [119.254.12.34]:41341 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:18 app1-101 kernel: TCP: [119.254.12.34]:41893 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:18 app1-101 kernel: TCP: [119.254.12.34]:41893 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:23 app1-101 kernel: TCP: [119.254.12.34]:42445 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:23 app1-101 kernel: TCP: [119.254.12.34]:42445 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:28 app1-101 kernel: TCP: [119.254.12.34]:42997 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:28 app1-101 kernel: TCP: [119.254.12.34]:42997 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:33 app1-101 kernel: TCP: [119.254.12.34]:43541 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:33 app1-101 kernel: TCP: [119.254.12.34]:43541 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:43 app1-101 kernel: TCP: [119.254.12.34]:44515 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
Nov 13 07:51:43 app1-101 kernel: TCP: [119.254.12.34]:44515 to [xxx.xxx.xxx.xxx]:22 
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment 
rejected (probably spoofed)
```


----------



## brd@ (Nov 14, 2010)

And what are the values of the sysctls set to? Likely it is a infected machine scanning. I would recommend firewalling off all the services that do not need to be accessed from the internet and restrict the others as much as you can. For example I only allow ssh to be accessed from some known IPs that I will connect from, i.e. work.


----------

