| View previous topic :: View next topic |
| Author |
Message |
Antimatter
Guru
Joined: 11 Aug 2003
Posts: 463
|
 Posted: Fri Jul 01, 2005 7:02 am Post subject: WTF is "TCP: Treason uncloaked!" in my dmesg logs? |
 |
|
| Quote: |
TCP: Treason uncloaked! Peer 129.74.98.152:4229/16887 shrinks window 1370809679:1370814859. Repaired.
TCP: Treason uncloaked! Peer 64.105.34.85:1374/16887 shrinks window 916799403:916800698. Repaired.
TCP: Treason uncloaked! Peer 71.111.69.7:3512/16887 shrinks window 4213539874:4213541169. Repaired.
TCP: Treason uncloaked! Peer 129.74.98.152:4229/16887 shrinks window 1372893334:1372898514. Repaired.
TCP: Treason uncloaked! Peer 24.60.110.202:33242/16887 shrinks window 3100985037:3100986332. Repaired.
TCP: Treason uncloaked! Peer 64.105.34.85:1374/16887 shrinks window 919227528:919228823. Repaired.
TCP: Treason uncloaked! Peer 216.175.106.17:20724/16887 shrinks window 3228397791:3228402971. Repaired.
TCP: Treason uncloaked! Peer 140.211.166.170:80/43626 shrinks window 129551310:129553900. Repaired.
TCP: Treason uncloaked! Peer 64.34.166.198:80/51578 shrinks window 1220956164:1220957459. Repaired.
TCP: Treason uncloaked! Peer 129.74.98.152:4229/16887 shrinks window 1374970514:1374971809. Repaired.
TCP: Treason uncloaked! Peer 68.8.6.76:44450/51445 shrinks window 1019475136:1019479021. Repaired.
TCP: Treason uncloaked! Peer 68.8.6.76:44450/51445 shrinks window 1020960329:1020966804. Repaired.
TCP: Treason uncloaked! Peer 216.175.106.17:20724/16887 shrinks window 3231741481:3231746661. Repaired.
TCP: Treason uncloaked! Peer 64.105.34.85:3676/16887 shrinks window 331174556:331175851. Repaired.
TCP: Treason uncloaked! Peer 64.105.34.85:3676/16887 shrinks window 331253551:331254846. Repaired.
TCP: Treason uncloaked! Peer 67.85.157.147:54695/16887 shrinks window 430818849:430821439. Repaired.
TCP: Treason uncloaked! Peer 71.111.69.7:3512/16887 shrinks window 4217707184:4217708479. Repaired.
TCP: Treason uncloaked! Peer 67.85.157.147:54695/16887 shrinks window 430868059:430869354. Repaired.
TCP: Treason uncloaked! Peer 129.74.98.152:4229/16887 shrinks window 1376950569:1376954454. Repaired.
TCP: Treason uncloaked! Peer 129.74.98.152:4229/16887 shrinks window 1376984239:1376985534. Repaired.
TCP: Treason uncloaked! Peer 68.238.173.101:6233/39520 shrinks window 4251357348:4251362528. Repaired.
TCP: Treason uncloaked! Peer 203.217.35.16:24751/16887 shrinks window 3554368216:3554373396. Repaired.
TCP: Treason uncloaked! Peer 64.105.34.85:3882/16887 shrinks window 3484901339:3484907814. Repaired.
TCP: Treason uncloaked! Peer 68.8.6.76:44450/51445 shrinks window 1024048904:1024055379. Repaired.
TCP: Treason uncloaked! Peer 68.238.173.101:6233/39520 shrinks window 4253621008:4253622303. Repaired.
TCP: Treason uncloaked! Peer 68.8.6.76:44450/51445 shrinks window 1024468484:1024472369. Repaired.
TCP: Treason uncloaked! Peer 71.111.69.7:3512/16887 shrinks window 4221234048:4221236638. Repaired.
TCP: Treason uncloaked! Peer 24.50.190.166:3238/16887 shrinks window 4273166283:4273168873. Repaired.
TCP: Treason uncloaked! Peer 68.190.200.36:61656/16887 shrinks window 3395888432:3395891022. Repaired.
TCP: Treason uncloaked! Peer 69.119.112.131:1579/16887 shrinks window 209138084:209141969. Repaired.
TCP: Treason uncloaked! Peer 216.175.106.17:20724/16887 shrinks window 3237860356:3237864241. Repaired.
TCP: Treason uncloaked! Peer 68.8.6.76:44450/51445 shrinks window 1028164414:1028169594. Repaired.
|
wtf is this? over an whole day i get aproximatly 100 of these in my logs and i'm wondering wtf they are? and if they have anything to do with bittorando? |
|
| Back to top |
|
 |
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Fri Jul 01, 2005 9:39 am Post subject: Re: WTF is "TCP: Treason uncloaked!" in my dmesg l |
|
|
Amazing what you can find with google ..
1. https://www.redhat.com/archives/redhat-list/2005-June/msg00311.html
2. http://www.linuxquestions.org/questions/archive/3/2003/12/4/127984
| Quote: |
Hmmm, actually searching google gave an answer to this in the very first result. You haven't looked very hard, have you?
In any case, the short answer is that it looks like someone is spoofing an IP, feigning a connection to your http and pop3 servers, then setting their window size to 0 so your daemon sits there trying to send them the data over and over (for instance, they may start a connection and immediately set their window to 0, so you cannot send back the http or pop3 connection banner message). Interestingly enough, this IP address is from unallocated space and the exact same IP shows up in other posts about the same message. I suspect it's a DoS tool that is in circulation, or the same attacker (since the IP is often the same).
You'd best set iptables to block all packets from BOGON networks (nets that shouldn't exist) so you can avoid this type of attack. You may find a list of bogon nets here. Note: unallocated nets change from time to time! Just in November IANA allocated two more blocks to RIPE, so you really need to pay attention if you're blocking all bogon IPs.
|
But the basic gist is that someone is attempting something malicious. Piss off some script kiddies reccently?
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
Antimatter
Guru
Joined: 11 Aug 2003
Posts: 463
|
| Posted: Fri Jul 01, 2005 2:55 pm Post subject: |
|
|
| Quote: |
But the basic gist is that someone is attempting something malicious. Piss off some script kiddies reccently?
|
I actualy have no idea there, I'm running on satillite modem with 64 KiB down and 6 KiB up, so it wouldn't be that great of an zombie server because of my crappy upload rate and crappy ping, it usualy execed 3,000+ ms to ping the satillite centeral server. So... yeah.
The satillite modem is connected to an window xp box with no firewall on it, *shungs* its my parent's computer and its their job to keep the security up but they don't, but I probably need to work on that, but i can't get service pack 2 to work on the damn thing.
Satillite -> xp computer -> my computer.
and only thing that is forwarded from the window xp computer is 9 port that i randomly selected for bittorrent. and that's IT.
As of pissing off script kiddies, I have no idea there, I haven't been on aim seince ive came home about an month ago, and i have only done a few e-mails to collages and relatives. and mainly surfing forums, lurking at most of em.
So I highly doubit I pissed anyone off to my knowledge, and it only happened recently.
And sorry for not searching, it was 2 am in the morning and I was pretty tired, was just doing some premilary checkups before I shutdown the machine and I saw this.
But with that in mind, is there any good firewall for the window xp box so i can install some and tighten things up a bit. |
|
| Back to top |
|
|
cs.cracker
n00b
Joined: 06 Mar 2005
Posts: 62
|
| Posted: Fri Jul 01, 2005 7:48 pm Post subject: |
|
|
| I would recommend getting a router instead of a software firewall, that way you will not have to rely on another machine for your security. |
|
| Back to top |
|
|
Antimatter
Guru
Joined: 11 Aug 2003
Posts: 463
|
| Posted: Fri Jul 01, 2005 9:15 pm Post subject: |
|
|
| cs.cracker wrote: | | I would recommend getting a router instead of a software firewall, that way you will not have to rely on another machine for your security. |
I am, an linksys wireless router, i need wireless for laptop and i figured perfect time to also grab an router, so it'll do untill i do some more research on some of the embeaded solution out there.
An interesting thing i noticed is i shut down my bit-torrent upload and download and the tcp corruption has stopped, but when i turn bit-torrent back on i start get mass tcp corruption.
so any ideas there?
i'm using bit-torando |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
