Treason uncloaked

From: Steve Buehler (steve_at_ibapp.com)
Date: 02/23/05

  • Next message: Ed Wilts: "Re: [Q] install Pine on Redhar AS 3.0 error"
    Date: Wed, 23 Feb 2005 15:26:17 -0600
    To: redhat-list@redhat.com
    
    

            I have a web server that goes down every once in a while. I have to
    manually restart. It is running RHL 7.3 with 2.4.20-28.7 for the kernel
    with Apache/1.3.27. When I run dmesg, I get the following messages:
    TCP: Treason uncloaked! Peer 213.181.83.194:3736/80 shrinks window
    4255495905:4255495906. Repaired.
    TCP: Treason uncloaked! Peer 213.181.83.194:3736/80 shrinks window
    4255495905:4255495906. Repaired.
    TCP: Treason uncloaked! Peer 217.26.84.76:17932/80 shrinks window
    3332120819:3332120820. Repaired.
    TCP: Treason uncloaked! Peer 217.26.84.76:17932/80 shrinks window
    3332120819:3332120820. Repaired.
    There were more. Mainly from these two addresses, but there were
    others. Also some of them were for port 443 (yes, I know...https) instead
    of 80.
    in the httpd logs I find that the 217 IP listed above is using Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1)
    The 213 IP shows Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
    So I don't really think it is a specific browser problem like some of the
    info I found on the web said.

    The /var/log/httpd/ssl_engine_log only shows one entry for:
    /Feb/2004 07:25:59 11018] [error] SSL handshake timed out (client
    217.26.84.76, server www.mysite.org:443)

    I have been googling around on the web and find a lot of info about it, but
    nothing that I understand unless we are getting a DOS attack against
    us. The closest thing that sounded like something that I could half way
    understand was:
    "when a client attempts to resize the packet window after the connection
    has been established. It's either a buggy client (buggy web browser or
    something) or someone is trying to do a silly DOS attack by having the
    linux kernel consume all it's TCP buffer and so new connections will lag. "
    I don't quite understand the resizing of the packet window. But do
    understand a DOS attack. Anyway, by the looks of it everybody who had this
    problem (that I found googling) was running an older operating system like
    RHL 7.3. Only one instance did I find that someone was getting these
    messages on a newer OS than 7.3. That was on RHL 8. So, would it be
    logical to assume that if I upgrade the OS to, lets say RHEL 4, that I
    probably wouldn't get these messages anymore? Was it a bug or security
    whole that was fixed? Is it in Apache? Or would it be something else?

    Thanks
    Steve

    -- 
    redhat-list mailing list
    unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
    https://www.redhat.com/mailman/listinfo/redhat-list
    

  • Next message: Ed Wilts: "Re: [Q] install Pine on Redhar AS 3.0 error"

    Relevant Pages

    • Interesting output in dmesg
      ... link up, 100Mbps, full-duplex, lpa 0x41E1 ... TCP: Treason uncloaked! ... Peer 84.166.226.64:57219/80 shrinks window 2902277334:2902334926. ...
      (comp.os.linux.misc)
    • tcp messages
      ... Has anyone seen or know what these messages from dmesg are? ... TCP: Treason uncloaked! ... Peer 172.25.131.224:515/35696 shrinks window ...
      (RedHat)
    • Re: Linux v2.6.16-rc6
      ... TCP: Treason uncloaked! ... Peer 82.113.55.2:11759/50967 shrinks window ... there really is a bug in the Linux TCP header prediction code ...
      (Linux-Kernel)
    • Re: Treason uncloaked spams syslog with latest git
      ... TCP: Treason uncloaked! ... Peer 192.168.0.68:10245/39915 shrinks window ... This happens _always_ when I compile kernels with distcc or icecc. ...
      (Linux-Kernel)
    • Re: Treason uncloaked spams syslog with latest git
      ... TCP: Treason uncloaked! ... Peer 192.168.0.68:10245/39915 shrinks window ... This happens _always_ when I compile kernels with distcc or icecc. ...
      (Linux-Kernel)