[TriLUG] A kernel message I'm not familiar with
Tanner Lovelace
clubjuggler at gmail.com
Tue Apr 25 13:27:04 EDT 2006
On 4/25/06, crimsun at fungus.sh.nu <crimsun at fungus.sh.nu> wrote:
> On Tue, Apr 25, 2006 at 10:51:47AM -0400, Tanner Lovelace wrote:
> > Apr 25 09:31:39 bebop kernel: TCP: Treason uncloaked! Peer
> > 200.219.181.35:24117/80 shrinks window 3787637969:3787637970.
> > Repaired.
>
> It is not necessarily an attack at all. Many packet manglers (packeteer
> comes to mind) do ... interesting things.
>
> The code in question is part of the TCP retransmit timer and deals with
> the receiver [mistakenly|maliciously] shrinking the receive window. The
> stack works around that.
>
> You shouldn't be alarmed offhand. If it happens repeatedly, there's
> probably muckery afoot upstream.
I was actually more amused by the error message ("Treason uncloaked!")
than alarmed but your point is well taken. I've only seen one of these in
my logs while I see people trying to log into ssh every single day. :-(
A friend in irc pointed me to this mailing list message which seems
to suggest the client is trying to (reverse) "tar-pit" my system and
"run [me] out of kernel memory".
https://www.redhat.com/archives/redhat-list/2005-June/msg00311.html
That's an interesting idea, but from the log message, it seems
the kernel hackers already thought of that.
Cheers,
Tanner
--
Tanner Lovelace
clubjuggler at gmail dot com
http://wtl.wayfarer.org/
(fieldless) In fess two roundels in pale, a billet fesswise and an
increscent, all sable.
More information about the TriLUG
mailing list