Security Incidents mailing list archives
Re: [incidents] strange log
From: Tim Kennedy <tim () timkennedy net>
Date: Thu, 22 Apr 2004 16:34:34 -0400
On Thu, 22 Apr 2004, Emilio Casbas wrote:
Apr 21 21:28:55 moria kernel: TCP: Treason uncloaked! Peer external_ip/80 shrinks window 1466359669:1466360884. Repaired. We've googling, but we dont know if is an attack or a bad negotiation. Any suggestion?
I've experienced this as well, and found through googling, and posting similar log entries to other lists, that it could be: 1) a lame DoS attempt zero window size you keep sending data forever 2) a b0rken TCP stack older rfc's used to allow window resize, but now frowned upon 3) a mobile tcp stack phones request small ammounts of data at a time 4) a b0rken packet mangling device not playing nicely with incoming and outgoing packets 5) related to having TCP debugging enabled in the linux kernel From tcp_timer.c (linux 2.4.x): --------------------------------------------------------------------------------- if (tp->snd_wnd == 0 && !sk->dead && !((1<<sk->state)&(TCPF_SYN_SENT|TCPF_SYN_RECV))) { /* Receiver dastardly shrinks window. Our retransmits * become zero probes, but we should not timeout this * connection. If the socket is an orphan, time it out, * we cannot allow such beasts to hang infinitely. */ #ifdef TCP_DEBUG if (net_ratelimit()) printk(KERN_DEBUG "TCP: Treason uncloaked! Peer %u.%u.%u.%u:%u/%u shrinks window %u:%u. Repaired.\n", NIPQUAD(sk->daddr), htons(sk->dport), sk->num, tp->snd_una, tp->snd_nxt); #endif --------------------------------------------------------------------------------- Personally, the best explanation I found for it is here: http://www.linuxquestions.org/questions/archive/3/2003/12/4/127984 and is more relevant to a lame DoS attach than anything else. Cheers, -Tim -- There are 10 types of people on Earth. Those who understand binary, and those who don't. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- strange log Emilio Casbas (Apr 22)
- Re: [incidents] strange log Tim Kennedy (Apr 23)
- Re: strange log Dave Ockwell-Jenner (Apr 23)