Message-Id: <200204191512.g3JFCvl18558@mail.advfn.com>
Content-Type: text/plain; charset=US-ASCII
From: Tim Kay <timk@advfn.com>
Reply-To: timk@advfn.com
Organization: Advfn.com
To: linux-kernel@vger.kernel.org
Subject: TCP: Treason uncloaked DoS ??
Date: Fri, 19 Apr 2002 16:15:22 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Sender: linux-kernel-owner@vger.kernel.org

[posted here because the message itself apparantly only appears with debug 
stuff on.]

Please forgive my igonorance but our cluster of load balanced web servers 
suddenly produced a run of:

TCP: Treason uncloaked! Peer XXX.XXX.XXX.XXX:4968/6666 shrinks window 
2154146057:2154152518. Repaired.

lines in our error logs. I have tracked this down to timer.c and I can see 
sort of what's going on [ please correct me if I'm wrong but I think  a 
client is saying 'send me something - ah but not at the moment because I'm 
not ready to receive - but don't close the connection']. Question is are 
multiple instances of this from multiple IPs a DoS possiblility. I assume 
that the connections are kept open if the client connecting doesn't actually 
go away so surely lots of these ocurring at once would overload a server. I 
have googled this and an occasional instance seems normal and could be down 
to a broken client, but lots from different IP addr's at once??

I'm a bit concerned that maybe someone is warming up for a hit or something.

Thanks

Tim

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/