Treason uncloaked

Steve Buehler steve at ibapp.com
Wed Feb 23 21:26:17 UTC 2005 

	I have a web server that goes down every once in a while.  I have to 
manually restart.  It is running RHL 7.3 with 2.4.20-28.7 for the kernel 
with Apache/1.3.27.  When I run dmesg, I get the following messages:
TCP: Treason uncloaked! Peer 213.181.83.194:3736/80 shrinks window 
4255495905:4255495906. Repaired.
TCP: Treason uncloaked! Peer 213.181.83.194:3736/80 shrinks window 
4255495905:4255495906. Repaired.
TCP: Treason uncloaked! Peer 217.26.84.76:17932/80 shrinks window 
3332120819:3332120820. Repaired.
TCP: Treason uncloaked! Peer 217.26.84.76:17932/80 shrinks window 
3332120819:3332120820. Repaired.
There were more.  Mainly from these two addresses, but there were 
others.  Also some of them were for port 443 (yes, I know...https) instead 
of 80.
in the httpd logs I find that the 217 IP listed above is using Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1)
The 213 IP shows Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
So I don't really think it is a specific browser problem like some of the 
info I found on the web said.

The /var/log/httpd/ssl_engine_log only shows one entry for:
/Feb/2004 07:25:59 11018] [error] SSL handshake timed out (client 
217.26.84.76, server www.mysite.org:443)

I have been googling around on the web and find a lot of info about it, but 
nothing that I understand unless we are getting a DOS attack against 
us.  The closest thing that sounded like something that I could half way 
understand was:
"when a client attempts to resize the packet window after the connection 
has been established. It's either a buggy client (buggy web browser or 
something) or someone is trying to do a silly DOS attack by having the 
linux kernel consume all it's TCP buffer and so new connections will lag. "
I don't quite understand the resizing of the packet window.  But do 
understand a DOS attack.  Anyway, by the looks of it everybody who had this 
problem (that I found googling) was running an older operating system like 
RHL 7.3.  Only one instance did I find that someone was getting these 
messages on a newer OS than 7.3.  That was on RHL 8.  So, would it be 
logical to assume that if I upgrade the OS to, lets say RHEL 4, that I 
probably wouldn't get these messages anymore?  Was it a bug or security 
whole that was fixed?  Is it in Apache?  Or would it be something else?

Thanks
Steve

More information about the redhat-list mailing list