22 Aug
2010
22 Aug
'10
10:26 a.m.
Hi Keith,
On Sun, Aug 22, 2010 at 08:02:59AM +0100, Keith Williams wrote:
I have recently started receiving TCP Treason
Uncloaked messages in my
daily logwatch reports from my vps on Urquell. They appear to be linked to
port 80.
OK, I understand what the message is about, the other host has suddenly
decided to reduce the size of the window during a transaction. Googling
for reasons and causes suggests it is something between and out and out
attack, a kernel or apache bug, a hiccup in TCP and is therefore extremely
serious/nothing to worry about and that I should ignore it/upgrade all
software/run round pulling out all my hair.
I get it from time to time also (on many different VPSes and "real"
servers). I've never been able to establish why, but others usually
tell me it's harmless, or it could be a bug but it was worked
around, or it could be an attack but it didn't work. :)
I don't think it is anything to worry about but agree it is an
irritatingly vague/alarmist message.
Some more non-information:
http://magazine.redhat.com/2007/01/29/why-do-i-get-tcp-treason-uncloaked-me…
The httpd section of the logwatch report tells me that
there have been a
number of attempts to use a known hack and it responded with a 501, but
they were reported with an ipv4 address and the treason reports had an
address that appeared to be ipv6 (though attempts to trace it failed)
Here's the last one I saw:
Aug 5 06:41:51 lon kernel: [32681823.385768] TCP: Treason uncloaked! Peer
0000:0000:0000:0000:0000:ffff:7281:b7e5:1427/80 shrinks window 767880262:767887562.
Repaired.
Aug 5 06:43:38 lon kernel: [32681931.028492] TCP: Treason uncloaked! Peer
0000:0000:0000:0000:0000:ffff:7281:b7e5:1427/80 shrinks window 769585542:769589922.
Repaired.
On my kernel this is being generated from something like:
http://lxr.linux.no/#linux+v2.6.26/net/ipv4/tcp_timer.c#L311
So I think "1427" is their port, "80" is my port, and
"0000:0000:0000:0000:0000:ffff:7281:b7e5" is an IPv6-mapped IPv4
address:
::ffff:7281:b7e5
= ::ffff:0x72.0x81.0xb7.0xe5
= ::ffff:114.129.183.229
I think. :)
It appears to be some satellite ISP in Australia.
There aren't many incidents in a day, but I
wondered what advice/comments
users here might be able to give and, showing my ignorance here, could
this be related in some way - I've no idea how - to the recent urquell
problems?
I can't see how. I've always seen it. Almost always with "busy" web
sites, or things like bittorrent.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
You dont have to be illiterate to use the Internet, but it help's.
-- Mike Bristow