| View previous topic :: View next topic |
| Author |
Message |
aztech
Tux's lil' helper
Joined: 29 Jul 2002
Posts: 130
Location: Stenungsund, Sweden
|
 Posted: Sun Jul 20, 2008 12:10 pm Post subject: What is, Treason uncloaked ? |
 |
|
OK .. what does this mean ??
Never seen it before.
| Code: |
Jul 20 01:14:22 bionic TCP: Treason uncloaked! Peer 90.225.104.170:60095/49139 shrinks window 2119026980:2119029692. Repaired.
|
| Code: |
bionic ~ # cat /var/log/messages | grep Treason |wc -l
1302
|
As you can see, the message occurs kind a often and as far as I can se, it started Jul 15 and has been continuing till now and it's always from the same IP in my logs ..
What can it be ?
BR
Andreas |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23062
|
| Posted: Sun Jul 20, 2008 3:47 pm Post subject: |
|
|
| This message comes from net/ipv4/tcp_timer.c in tcp_retransmit_timer. The comment indicates that the receiver tried to shrink the TCP window. What are you doing when these messages appear? Is your ISP violating IP in any way? |
|
| Back to top |
|
|
zyko
l33t
Joined: 01 Jun 2008
Posts: 620
Location: Munich, Germany
|
| Posted: Sun Jul 20, 2008 4:12 pm Post subject: |
|
|
Is this happening on a server or on a desktop machine? Is there more than one IP causing this?
Afaik, this is indicative of someone who isn't quite conforming to TCP/IP standards, either intentionally (exploit attempt) or unintentionally (some sort of firewall maybe?). |
|
| Back to top |
|
|
djanderson
Tux's lil' helper
Joined: 24 Mar 2004
Posts: 98
Location: Boulder, CO
|
|
| Back to top |
|
|
aztech
Tux's lil' helper
Joined: 29 Jul 2002
Posts: 130
Location: Stenungsund, Sweden
|
| Posted: Sun Jul 20, 2008 4:40 pm Post subject: |
|
|
| zyko wrote: | Is this happening on a server or on a desktop machine? Is there more than one IP causing this?
Afaik, this is indicative of someone who isn't quite conforming to TCP/IP standards, either intentionally (exploit attempt) or unintentionally (some sort of firewall maybe?). |
This is a server acting as a router/firewall/httpd etc for my local network at home.
I saw this recently when trying to ind out why the server has so high load
compared to normal. The load is above 4.0 now compared to around 1.5 ..
The httpd is very much slower now, than before also ...
Yeah and there are attempts from multiple IP's
Any idéas ?? |
|
| Back to top |
|
|
zyko
l33t
Joined: 01 Jun 2008
Posts: 620
Location: Munich, Germany
|
| Posted: Sun Jul 20, 2008 10:51 pm Post subject: |
|
|
| Unless you have a reason not to, I'd suggest you ban all the fishy IPs via IPfilter until we maybe find out more about the specifics. This pretty much smells like a generic exploit attempt to me, though I have never myself seen this kind of behaviour in my own server logs. |
|
| Back to top |
|
|
|
Networking & Security
