LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   TCP: Treason uncloaked! (https://www.linuxquestions.org/questions/linux-networking-3/tcp-treason-uncloaked-127984/)

basbosco 12-22-2003 01:05 AM
TCP: Treason uncloaked!
 
Hi

I am having problem in my linux server.

While executing the demsg in the server i am getting the error like this.
Kindly help me to rectify the problem.

Because of this i am not able to work constantly.

Error:

TCP: Treason uncloaked! Peer 202.162.56.156:32774/80 shrinks window 4292658673:4292661409. Repaired.
TCP: Treason uncloaked! Peer 202.162.56.156:32775/80 shrinks window 4288253267:4288254350. Repaired.
TCP: Treason uncloaked! Peer 202.162.56.156:32774/80 shrinks window 4292658673:4292661409. Repaired.
TCP: Treason uncloaked! Peer 202.162.56.156:32775/80 shrinks window 4288253267:4288254350. Repaired.
TCP: Treason uncloaked! Peer 202.162.56.156:32774/80 shrinks window 4292658673:4292661409. Repaired.
TCP: Treason uncloaked! Peer 202.162.56.156:1725/110 shrinks window 2252179539:2252179580. Repaired.
TCP: Treason uncloaked! Peer 202.131.115.150:63802/80 shrinks window 3519941420:3519941680. Repaired.
TCP: Treason uncloaked! Peer 202.13


Regards
Basbosco

chort 12-22-2003 02:14 AM
Hmmm, actually searching google gave an answer to this in the very first result. You haven't looked very hard, have you?

In any case, the short answer is that it looks like someone is spoofing an IP, feigning a connection to your http and pop3 servers, then setting their window size to 0 so your daemon sits there trying to send them the data over and over (for instance, they may start a connection and immediately set their window to 0, so you cannot send back the http or pop3 connection banner message). Interestingly enough, this IP address is from unallocated space and the exact same IP shows up in other posts about the same message. I suspect it's a DoS tool that is in circulation, or the same attacker (since the IP is often the same).

You'd best set iptables to block all packets from BOGON networks (nets that shouldn't exist) so you can avoid this type of attack. You may find a list of bogon nets here. Note: unallocated nets change from time to time! Just in November IANA allocated two more blocks to RIPE, so you really need to pay attention if you're blocking all bogon IPs.

fancypiper 08-22-2007 02:50 PM
This post contains no info

suso 03-04-2008 09:34 AM
Quote:
Originally Posted by chort (Post 663241)
Hmmm, actually searching google gave an answer to this in the very first result. You haven't looked very hard, have you?
How ironic, now this thread is the first result on Google. Somehow that gives basbosco purpose to posting it. :confused:

Hangdog42 03-04-2008 11:24 AM
Quote:
Originally Posted by suso (Post 3077782)
How ironic, now this thread is the first result on Google. Somehow that gives basbosco purpose to posting it. :confused:

Please leave the dead in peace. This thread is older than most LQ members and there certainly was no reason to dig it up.


All times are GMT -5. The time now is 04:00 AM.