[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Strange log entries



I understand the Treason uncloaked now. But why would klogd reload at that point in time? The more I look into this, that bothers me more than anything right now.

Treason uncloaked has to do with changinghte TCP window sized that was legal in previous RFC's and is not frowned upon or illegal in a sense. Just strange that in 5+ years running public web servers, this is the first time I have seen this error message.

But why did klogd reload at that point in time???

Lyle



Fred Morris wrote:

I'm going to speak out of turn based on some knowledge of TCP, and without
looking at the source to determine what actually triggers the messages (you
could, perhaps should, do that).


Both peers in a TCP connection advertise a window size to the other peer,
which is the buffer available to the other end. This does float up and down
as the sender sends data and the receiver pulls it out of the buffer.
(There is some interesting stuff in the RFCs about zero windows and silly
windows, if you care to read.)

A peer is not required to immediately advertise a larger size window.
However, the one thing a peer is never supposed to do is to advertize a
certain window size and then subsequently advertise a window size which is
less than ((previously advertised size) - (data received)).

(There is also some disparagement of the use of RST to refuse a connection,
FWIW. If you've played much with printers and such you know what I'm
talking about.)

I don't recall the use of "treason" in the RFCs in this context, although
there is an amusing suggestion in one of the RFCs for DNS about shooting
people...


At 9:38 AM 10/6/05, Lyle Giese wrote:
I have a machine running SuSE v8.2 pro running Apache v2.0.54(installed
from Apache source) and found this in the logs this morning:
Oct 5 19:38:43 linux2 kernel: TCP: Treason uncloaked! Peer
211.136.182.106:46312/80 shrinks window 3980592615:3980594075. Repaired.
[...]

--

Fred Morris
http://www.inwa.net/~m3047/contact.html