[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Strange log entries



I'm going to speak out of turn based on some knowledge of TCP, and without
looking at the source to determine what actually triggers the messages (you
could, perhaps should, do that).


Both peers in a TCP connection advertise a window size to the other peer,
which is the buffer available to the other end. This does float up and down
as the sender sends data and the receiver pulls it out of the buffer.
(There is some interesting stuff in the RFCs about zero windows and silly
windows, if you care to read.)

A peer is not required to immediately advertise a larger size window.
However, the one thing a peer is never supposed to do is to advertize a
certain window size and then subsequently advertise a window size which is
less than ((previously advertised size) - (data received)).

(There is also some disparagement of the use of RST to refuse a connection,
FWIW. If you've played much with printers and such you know what I'm
talking about.)

I don't recall the use of "treason" in the RFCs in this context, although
there is an amusing suggestion in one of the RFCs for DNS about shooting
people...


At 9:38 AM 10/6/05, Lyle Giese wrote:
>I have a machine running SuSE v8.2 pro running Apache v2.0.54(installed
>from Apache source) and found this in the logs this morning:
>
>
>Oct 5 19:38:43 linux2 kernel: TCP: Treason uncloaked! Peer
>211.136.182.106:46312/80 shrinks window 3980592615:3980594075. Repaired.
>[...]

--

Fred Morris
http://www.inwa.net/~m3047/contact.html



-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here