[j-nsp] "ssb TCP: Bad TCP offset"

Kevin Day toasty at dragondata.com
Mon Aug 8 15:54:13 EDT 2005 


Does anyone else get lots of syslog messages like these:



Aug  5 20:10:49  core1-chi ssb TCP: Bad TCP offset (4, 20) from  
24.51.167.100
Aug  5 20:17:24  core1-chi ssb TCP: Bad TCP offset (60, 20) from  
68.170.32.205
Aug  5 20:19:12  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
60.63.21.105
Aug  5 20:22:18  core1-chi ssb TCP: Bad TCP offset (4, 28) from  
62.233.190.97
Aug  5 20:26:43  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
60.63.21.105
Aug  5 20:30:13  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
60.63.21.105
Aug  5 20:31:16  core1-chi ssb TCP: Bad TCP offset (32, 20) from  
69.169.27.3
Aug  5 20:31:58  core1-chi ssb TCP: Bad TCP offset (12, 20) from  
68.170.32.205
Aug  5 20:39:11  core1-chi ssb TCP: Bad TCP offset (28, 20) from  
60.63.21.105
Aug  5 20:43:10  core1-chi ssb TCP: Bad TCP offset (48, 20) from  
70.33.193.187
Aug  5 20:57:14  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
69.175.85.125
Aug  5 21:02:03  core1-chi ssb TCP: Bad TCP offset (24, 20) from  
68.170.32.205
Aug  5 21:16:33  core1-chi ssb TCP: Bad TCP offset (16, 20) from  
68.170.43.125
Aug  5 21:17:08  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
60.63.21.105
Aug  5 21:37:21  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
60.63.21.105
Aug  5 21:58:16  core1-chi ssb TCP: Bad TCP offset (24, 20) from  
69.162.161.105
Aug  5 21:59:43  core1-chi ssb TCP: Bad TCP offset (40, 20) from  
24.54.42.46
Aug  5 22:03:43  core1-chi ssb TCP: Bad TCP offset (36, 20) from  
24.255.214.80
Aug  5 22:06:38  core1-chi ssb TCP: Bad TCP offset (4, 20) from  
68.170.43.125
Aug  5 22:10:31  core1-chi ssb TCP: Bad TCP offset (40, 20) from  
68.234.74.198
Aug  5 22:14:53  core1-chi ssb TCP: Bad TCP offset (56, 20) from  
68.234.69.100
Aug  5 22:32:18  core1-chi ssb TCP: Bad TCP offset (40, 20) from  
68.99.178.63
Aug  5 22:54:18  core1-chi ssb TCP: Bad TCP offset (24, 20) from  
24.52.73.113
Aug  5 23:00:04  core1-chi ssb TCP: Bad TCP offset (36, 20) from  
24.52.2.77
Aug  5 23:05:14  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
220.87.1.63
Aug  5 23:09:14  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
70.35.48.45
Aug  5 23:16:15  core1-chi ssb TCP: Bad TCP offset (44, 20) from  
220.87.1.63
Aug  5 23:28:50  core1-chi ssb TCP: Bad TCP offset (44, 20) from  
66.110.197.20
Aug  5 23:29:06  core1-chi ssb TCP: Bad TCP offset (36, 20) from  
66.110.197.20
Aug  5 23:31:02  core1-chi ssb TCP: Bad TCP offset (56, 20) from  
220.87.1.63
Aug  5 23:49:19  core1-chi ssb TCP: Bad TCP offset (4, 20) from  
142.177.202.88
Aug  5 23:59:36  core1-chi ssb TCP: Bad TCP offset (52, 20) from  
69.163.2.234


Aug  8 07:53:30  core-ams feb TCP: Bad TCP offset (12, 364) from  
80.171.31.50
Aug  8 07:53:33  core-ams feb TCP: Bad TCP offset (12, 528) from  
80.171.31.50
Aug  8 07:53:44  core-ams feb TCP: Bad TCP offset (12, 528) from  
80.171.31.50
Aug  8 07:55:20  core-ams feb last message repeated 5 times
Aug  8 07:56:15  core-ams feb TCP: Bad TCP offset (12, 528) from  
80.171.31.50
Aug  8 08:26:20  core-ams feb TCP: Bad TCP offset (12, 528) from  
80.171.31.50
Aug  8 08:26:30  core-ams feb last message repeated 3 times
Aug  8 08:26:32  core-ams feb TCP: Bad TCP offset (12, 364) from  
80.171.31.50
Aug  8 08:26:42  core-ams feb last message repeated 7 times
Aug  8 08:26:42  core-ams feb TCP: Bad TCP offset (12, 528) from  
80.171.31.50
Aug  8 08:26:54  core-ams feb TCP: Bad TCP offset (12, 364) from  
80.171.31.50
Aug  8 08:26:54  core-ams feb TCP: Bad TCP offset (12, 364) from  
80.171.31.50
Aug  8 08:27:06  core-ams feb TCP: Bad TCP offset (12, 528) from  
80.171.31.50
Aug  8 08:27:18  core-ams feb TCP: Bad TCP offset (12, 364) from  
80.171.31.50
Aug  8 08:27:18  core-ams feb TCP: Bad TCP offset (12, 364) from  
80.171.31.50
Aug  8 08:28:42  core-ams feb TCP: Bad TCP offset (12, 528) from  
80.171.31.50
Aug  8 08:29:26  core-ams feb TCP: Bad TCP offset (12, 364) from  
80.171.31.50

We've got two m-series routers(an M5 and an M20), in completely  
different environments, running different versions (6.2 and 7.2) and  
they both flood my logs with them.

I've tracked down a few of our customers with static IPs who have  
shown up in our logs, and none of them appear to be doing anything  
unusual to trigger this.

Does anyone know exactly what causes this message to appear? My usual  
Juniper gurus have said "never seen that before".

More information about the juniper-nsp mailing list