kernel: TCP: Treason uncloaked!

Burke, Thomas G. tg.burke at ngc.com
Thu Aug 4 15:27:33 UTC 2005 

>From the Debian list:

    [Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index]
[Thread Index] 
Re: Apr 17 10:49:49 teks kernel: TCP: Treason uncloaked! Peer
210.135.175.47:43827/

------------------------------------------------------------------------
--------

To: "Jason Lim" <maillist at jasonlim.com>, <debian-isp at lists.debian.org> 
Subject: Re: Apr 17 10:49:49 teks kernel: TCP: Treason uncloaked! Peer
210.135.175.47:43827/ 
From: Russell Coker <russell at coker.com.au> 
Date: Thu, 18 Apr 2002 04:33:36 +0200 
In-reply-to: <045801c1e671$76cca2e0$360210ac at zentekgateway> 
Message-id: <20020418023337.6A14923FC at lyta.coker.com.au> 
References: <045801c1e671$76cca2e0$360210ac at zentekgateway> 
Reply-to: Russell Coker <russell at coker.com.au> 

------------------------------------------------------------------------
--------

On Thu, 18 Apr 2002 01:43, Jason Lim wrote:
> Hi all,
>
> can anyone make sense of the following?
>
> Apr 17 10:49:49 teks kernel: TCP: Treason uncloaked! Peer
> 210.135.175.47:43827/
> 80 shrinks window 2321430930:2321431630. Repaired.
>
> What is this "Treason uncloaked"?

>From /usr/src/linux/net/ipv4/tcp_timer.c:

        if (tp->snd_wnd == 0 && !sk->dead &&
            !((1<<sk->state)&(TCPF_SYN_SENT|TCPF_SYN_RECV))) {
                /* Receiver dastardly shrinks window. Our retransmits
                 * become zero probes, but we should not timeout this
                 * connection. If the socket is an orphan, time it out,
                 * we cannot allow such beasts to hang infinitely.
                 */
#ifdef TCP_DEBUG
                if (net_ratelimit())
                        printk(KERN_DEBUG "TCP: Treason uncloaked! Peer 
%u.%u.%u.%u:%u/%u shrinks window %u:%u. Repaired.\n",
                               NIPQUAD(sk->daddr), htons(sk->dport),
sk->num,
                               tp->snd_una, tp->snd_nxt);
#endif

So it appears that someone is running some sort of "tar-pit" system that
is 
designed to keep sockets in a bad state and run you out of kernel
memory.

I suspect that this ties in with the spam blocking things we recently 
discussed.  Maybe you should tell your ISP that they are to blame for
such 
actions being done to you and that they should "give you face" (I think
that 
was the term you used) by closing their open relays.

> I think the following is unrelated, but I also found a lot of them
(50+)
> in the logs:
>
> Apr 16 19:52:54 teks kernel: UDP: bad checksum. From
195.212.86.48:16384
> to xxx.194.146.xxx:33618 ulen 20
> Apr 16 19:53:00 teks kernel: UDP: bad checksum. From
195.212.86.48:16384
> to xxx.194.146.xxx:33561 ulen 20

UDP and TCP, no direct relation.  But if someone's trying something
nasty on 
one protocol they might be trying something nasty on another, the IPs
are 
different, but faking the source of UDP is no great challenge.

> About 6 hours later, the box crashed (not sure if it could be related
to
> the above attacks).

Someone who's doing the tar-pit attack would probably like your box to
crash, 
but I'd hope that Linux can withstand such things, and there is
special-case 
code in there to deal with it.  My guess is that your posting to the 
ide-arrays list about 3ware driver problems is a more likely explanation
of 
the crash.

-- 
If you send email to me or to a mailing list that I use which has >4
lines
of legalistic junk at the end then you are specifically authorizing me
to do
whatever I wish with the message and all other messages from your
domain, by
posting the message you agree that your long legalistic sig is void.


-- 
To UNSUBSCRIBE, email to debian-isp-request at lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster at lists.debian.org




------------------------------------------------------------------------
--------
Reply to: 
debian-isp at lists.debian.org 
Russell Coker (on-list) 
Russell Coker (off-list) 

------------------------------------------------------------------------
--------

Follow-Ups: 
Re: Apr 17 10:49:49 teks kernel: TCP: Treason uncloaked! Peer
210.135.175.47:43827/ 
From: "Jason Lim" <maillist at jasonlim.com>
References: 
Apr 17 10:49:49 teks kernel: TCP: Treason uncloaked! Peer
210.135.175.47:43827/ 
From: "Jason Lim" <maillist at jasonlim.com>
Prev by Date: postfix with SASL on Debian? 
Next by Date: Re: Apr 17 10:49:49 teks kernel: TCP: Treason uncloaked!
Peer 210.135.175.47:43827/ 
Previous by thread: Apr 17 10:49:49 teks kernel: TCP: Treason uncloaked!
Peer 210.135.175.47:43827/ 
Next by thread: Re: Apr 17 10:49:49 teks kernel: TCP: Treason uncloaked!
Peer 210.135.175.47:43827/ 
Index(es): 
Date 
Thread  

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Rushan Sobar
Sent: Wednesday, August 03, 2005 3:35 PM
To: 'General Red Hat Linux discussion list'
Subject: kernel: TCP: Treason uncloaked!

Hi,

when I try to view my log file /var/log/messages    I notice the
following error
Aug  2 11:19:44 mec kernel: TCP: Treason uncloaked! Peer
195.158.204.56:38087/80 shrinks window 2266547506:2266559926. Repaired.

is it risky ? what kernel: TCP: Treason uncloaked means.......

Regards
Rushan

--
This message has been scanned for viruses and dangerous content by MEC
E-Mail Scanner, and is believed to be clean.
--
www.mec.com.jo

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=subscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list