[posted here because the message itself apparantly only appears with debug
stuff on.]
Please forgive my igonorance but our cluster of load balanced web servers
suddenly produced a run of:
TCP: Treason uncloaked! Peer XXX.XXX.XXX.XXX:4968/6666 shrinks window
2154146057:2154152518. Repaired.
lines in our error logs. I have tracked this down to timer.c and I can see
sort of what's going on [ please correct me if I'm wrong but I think a
client is saying 'send me something - ah but not at the moment because I'm
not ready to receive - but don't close the connection']. Question is are
multiple instances of this from multiple IPs a DoS possiblility. I assume
that the connections are kept open if the client connecting doesn't actually
go away so surely lots of these ocurring at once would overload a server. I
have googled this and an occasional instance seems normal and could be down
to a broken client, but lots from different IP addr's at once??
I'm a bit concerned that maybe someone is warming up for a hit or something.
Thanks
Tim
Tim Kay <[email protected]> writes:
> that the connections are kept open if the client connecting doesn't actually
> go away so surely lots of these ocurring at once would overload a server. I
> have googled this and an occasional instance seems normal and could be down
> to a broken client, but lots from different IP addr's at once??
It is a TCP bug of the other side.
You can safely comment out the printk. It would be interesting however
to find out what the other side is running and yell at the vendor.
> I'm a bit concerned that maybe someone is warming up for a hit or something.
More likely someone released a new buggy TCP stack to the world.
-Andi
On Friday 19 April 2002 18:17, Andi Kleen wrote:
> Tim Kay <[email protected]> writes:
> > that the connections are kept open if the client connecting doesn't
> > actually go away so surely lots of these ocurring at once would overload
> > a server. I have googled this and an occasional instance seems normal and
> > could be down to a broken client, but lots from different IP addr's at
> > once??
>
> It is a TCP bug of the other side.
that's strange, I encountered exactly the same message in my syslog while
doing backups between two Linux machines, it was somewhere around 2.4.15 I
think.
> You can safely comment out the printk. It would be interesting however
> to find out what the other side is running and yell at the vendor.
>
> > I'm a bit concerned that maybe someone is warming up for a hit or
> > something.
>
> More likely someone released a new buggy TCP stack to the world.
Is it possible that there are other things which can cause this?
Or does it really mean that Linux has a buggy TCP stack!?
I simply cannot believe this ;-)
cheers,
Yven
--
Yven Johannes Leist - [email protected]
http://www.leist.beldesign.de