[j-nsp] "ssb TCP: Bad TCP offset"

Hannes Gredler hannes at juniper.net
Sat Aug 13 16:55:02 EDT 2005 

that message is being generated by the ukernel on the SSB
when it tries to build a tcp-reset response
and detects that the original packet triggering
the firewall reject action is malformed;

so somebody is poking at your network ...

/hannes

On Mon, Aug 08, 2005 at 02:54:13PM -0500, Kevin Day wrote:
| 
| 
| Does anyone else get lots of syslog messages like these:
| 
| 
| 
| Aug  5 20:10:49  core1-chi ssb TCP: Bad TCP offset (4, 20) from  
| 24.51.167.100
| Aug  5 20:17:24  core1-chi ssb TCP: Bad TCP offset (60, 20) from  
| 68.170.32.205
| Aug  5 20:19:12  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
| 60.63.21.105
| Aug  5 20:22:18  core1-chi ssb TCP: Bad TCP offset (4, 28) from  
| 62.233.190.97
| Aug  5 20:26:43  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
| 60.63.21.105
| Aug  5 20:30:13  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
| 60.63.21.105
| Aug  5 20:31:16  core1-chi ssb TCP: Bad TCP offset (32, 20) from  
| 69.169.27.3
| Aug  5 20:31:58  core1-chi ssb TCP: Bad TCP offset (12, 20) from  
| 68.170.32.205
| Aug  5 20:39:11  core1-chi ssb TCP: Bad TCP offset (28, 20) from  
| 60.63.21.105
| Aug  5 20:43:10  core1-chi ssb TCP: Bad TCP offset (48, 20) from  
| 70.33.193.187
| Aug  5 20:57:14  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
| 69.175.85.125
| Aug  5 21:02:03  core1-chi ssb TCP: Bad TCP offset (24, 20) from  
| 68.170.32.205
| Aug  5 21:16:33  core1-chi ssb TCP: Bad TCP offset (16, 20) from  
| 68.170.43.125
| Aug  5 21:17:08  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
| 60.63.21.105
| Aug  5 21:37:21  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
| 60.63.21.105
| Aug  5 21:58:16  core1-chi ssb TCP: Bad TCP offset (24, 20) from  
| 69.162.161.105
| Aug  5 21:59:43  core1-chi ssb TCP: Bad TCP offset (40, 20) from  
| 24.54.42.46
| Aug  5 22:03:43  core1-chi ssb TCP: Bad TCP offset (36, 20) from  
| 24.255.214.80
| Aug  5 22:06:38  core1-chi ssb TCP: Bad TCP offset (4, 20) from  
| 68.170.43.125
| Aug  5 22:10:31  core1-chi ssb TCP: Bad TCP offset (40, 20) from  
| 68.234.74.198
| Aug  5 22:14:53  core1-chi ssb TCP: Bad TCP offset (56, 20) from  
| 68.234.69.100
| Aug  5 22:32:18  core1-chi ssb TCP: Bad TCP offset (40, 20) from  
| 68.99.178.63
| Aug  5 22:54:18  core1-chi ssb TCP: Bad TCP offset (24, 20) from  
| 24.52.73.113
| Aug  5 23:00:04  core1-chi ssb TCP: Bad TCP offset (36, 20) from  
| 24.52.2.77
| Aug  5 23:05:14  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
| 220.87.1.63
| Aug  5 23:09:14  core1-chi ssb TCP: Bad TCP offset (0, 20) from  
| 70.35.48.45
| Aug  5 23:16:15  core1-chi ssb TCP: Bad TCP offset (44, 20) from  
| 220.87.1.63
| Aug  5 23:28:50  core1-chi ssb TCP: Bad TCP offset (44, 20) from  
| 66.110.197.20
| Aug  5 23:29:06  core1-chi ssb TCP: Bad TCP offset (36, 20) from  
| 66.110.197.20
| Aug  5 23:31:02  core1-chi ssb TCP: Bad TCP offset (56, 20) from  
| 220.87.1.63
| Aug  5 23:49:19  core1-chi ssb TCP: Bad TCP offset (4, 20) from  
| 142.177.202.88
| Aug  5 23:59:36  core1-chi ssb TCP: Bad TCP offset (52, 20) from  
| 69.163.2.234
| 
| 
| Aug  8 07:53:30  core-ams feb TCP: Bad TCP offset (12, 364) from  
| 80.171.31.50
| Aug  8 07:53:33  core-ams feb TCP: Bad TCP offset (12, 528) from  
| 80.171.31.50
| Aug  8 07:53:44  core-ams feb TCP: Bad TCP offset (12, 528) from  
| 80.171.31.50
| Aug  8 07:55:20  core-ams feb last message repeated 5 times
| Aug  8 07:56:15  core-ams feb TCP: Bad TCP offset (12, 528) from  
| 80.171.31.50
| Aug  8 08:26:20  core-ams feb TCP: Bad TCP offset (12, 528) from  
| 80.171.31.50
| Aug  8 08:26:30  core-ams feb last message repeated 3 times
| Aug  8 08:26:32  core-ams feb TCP: Bad TCP offset (12, 364) from  
| 80.171.31.50
| Aug  8 08:26:42  core-ams feb last message repeated 7 times
| Aug  8 08:26:42  core-ams feb TCP: Bad TCP offset (12, 528) from  
| 80.171.31.50
| Aug  8 08:26:54  core-ams feb TCP: Bad TCP offset (12, 364) from  
| 80.171.31.50
| Aug  8 08:26:54  core-ams feb TCP: Bad TCP offset (12, 364) from  
| 80.171.31.50
| Aug  8 08:27:06  core-ams feb TCP: Bad TCP offset (12, 528) from  
| 80.171.31.50
| Aug  8 08:27:18  core-ams feb TCP: Bad TCP offset (12, 364) from  
| 80.171.31.50
| Aug  8 08:27:18  core-ams feb TCP: Bad TCP offset (12, 364) from  
| 80.171.31.50
| Aug  8 08:28:42  core-ams feb TCP: Bad TCP offset (12, 528) from  
| 80.171.31.50
| Aug  8 08:29:26  core-ams feb TCP: Bad TCP offset (12, 364) from  
| 80.171.31.50
| 
| We've got two m-series routers(an M5 and an M20), in completely  
| different environments, running different versions (6.2 and 7.2) and  
| they both flood my logs with them.
| 
| I've tracked down a few of our customers with static IPs who have  
| shown up in our logs, and none of them appear to be doing anything  
| unusual to trigger this.
| 
| Does anyone know exactly what causes this message to appear? My usual  
| Juniper gurus have said "never seen that before".
|

More information about the juniper-nsp mailing list