Treason uncloaked

This kind of error message has been popping up in some of the servers’ log files (mainly in the US):

 X Time(s): TCP: Treason uncloaked! Peer 195.166.XXX.YYY:18549/80 shrinks window 94463210:94463211. Repaired.

Doing any kind of search (or for that matter) doesn’t give much of a hint as to what that’s all about.

There’s a mix of opinions.

RedHat Magazine puts this down to an “informative message. It is not a problem with the system.” which is rightly chastised by the comments following it.

Other scenarios are provided, such as that it’s a low-level DoS attack (to simply keep sockets open that will use up resouces)

This is backed up by the comment (hurray for comments!!) in the tcp_timer.c code in the ipv4 net code:

/* Receiver dastardly shrinks window. Our retransmits
* become zero probes, but we should not timeout this
* connection. If the socket is an orphan, time it out,
* we cannot allow such beasts to hang infinitely.

So, it’s highly likely that it’s a tar-pit somewhere that’s trying to eek out resources.

A blunt approach would

iptables -A INPUT -s 195.166.XXX.YYY -j DROP

quite a definite defense mechanism (should they not be spoofing, which they most probably are…) — in this case, they claim to be from Nicaragua…

Two alternative explanations present themselves:

  • a seriously old TCP receiver stack OR
  • a mobile device that purposefully starts with small windows to start off with…

Not highly likely…

Will keep monitoring 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *