Security Incidents mailing list archives

Re: [incidents] strange log

From: Tim Kennedy <tim () timkennedy net>
Date: Thu, 22 Apr 2004 16:34:34 -0400



On Thu, 22 Apr 2004, Emilio Casbas wrote:

Apr 21 21:28:55 moria kernel: TCP: Treason uncloaked! Peer 
external_ip/80 shrinks window 1466359669:1466360884. Repaired.

We've googling, but we dont know if is an attack or a bad negotiation.
Any suggestion?



I've experienced this as well, and found through googling, and posting 
similar log entries to other lists, that it could be:

1) a lame DoS attempt
        zero window size you keep sending data forever
2) a b0rken TCP stack
        older rfc's used to allow window resize, but now frowned upon
3) a mobile tcp stack
        phones request small ammounts of data at a time
4) a b0rken packet mangling device
        not playing nicely with incoming and outgoing packets

5) related to having TCP debugging enabled in the linux kernel

From tcp_timer.c (linux 2.4.x):
---------------------------------------------------------------------------------
        if (tp->snd_wnd == 0 && !sk->dead &&
            !((1<<sk->state)&(TCPF_SYN_SENT|TCPF_SYN_RECV))) {
                /* Receiver dastardly shrinks window. Our retransmits
                 * become zero probes, but we should not timeout this
                 * connection. If the socket is an orphan, time it out,
                 * we cannot allow such beasts to hang infinitely.
                 */
#ifdef TCP_DEBUG
                if (net_ratelimit())
                        printk(KERN_DEBUG "TCP: Treason uncloaked! Peer
%u.%u.%u.%u:%u/%u shrinks window %u:%u. Repaired.\n",
                               NIPQUAD(sk->daddr), htons(sk->dport),
sk->num,
                               tp->snd_una, tp->snd_nxt);
#endif
---------------------------------------------------------------------------------


Personally, the best explanation I found for it is here:

http://www.linuxquestions.org/questions/archive/3/2003/12/4/127984

and is more relevant to a lame DoS attach than anything else.

Cheers,

-Tim

-- 
There are 10 types of people on Earth.  Those who understand binary, and those who don't.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

strange log Emilio Casbas (Apr 22)
- Re: [incidents] strange log Tim Kennedy (Apr 23)
- Re: strange log Dave Ockwell-Jenner (Apr 23)