This kind of error message has been popping up in some of the servers’ log files (mainly in the US):
X Time(s): TCP: Treason uncloaked! Peer 195.166.XXX.YYY:18549/80 shrinks window 94463210:94463211. Repaired.
Doing any kind of google.com search (or yahoo.com for that matter) doesn’t give much of a hint as to what that’s all about.
There’s a mix of opinions.
RedHat Magazine puts this down to an “informative message. It is not a problem with the system.” which is rightly chastised by the comments following it.
Other scenarios are provided, such as that it’s a low-level DoS attack (to simply keep sockets open that will use up resouces)
This is backed up by the comment (hurray for comments!!) in the tcp_timer.c code in the ipv4 net code:
/* Receiver dastardly shrinks window. Our retransmits * become zero probes, but we should not timeout this * connection. If the socket is an orphan, time it out, * we cannot allow such beasts to hang infinitely. */
So, it’s highly likely that it’s a tar-pit somewhere that’s trying to eek out resources.
A blunt approach would
iptables -A INPUT -s 195.166.XXX.YYY -j DROP
quite a definite defense mechanism (should they not be spoofing, which they most probably are…) — in this case, they claim to be from Nicaragua…
Two alternative explanations present themselves:
- a seriously old TCP receiver stack OR
- a mobile device that purposefully starts with small windows to start off with…
Not highly likely…
Will keep monitoring 🙂