TCP: Treason uncloaked DoS ??

TCP: Treason uncloaked DoS ??

[Tim Kay]

[posted here because the message itself apparantly only appears with debug 
stuff on.]

Please forgive my igonorance but our cluster of load balanced web servers 
suddenly produced a run of:

TCP: Treason uncloaked! Peer XXX.XXX.XXX.XXX:4968/6666 shrinks window 
2154146057:2154152518. Repaired.

lines in our error logs. I have tracked this down to timer.c and I can see 
sort of what's going on [ please correct me if I'm wrong but I think  a 
client is saying 'send me something - ah but not at the moment because I'm 
not ready to receive - but don't close the connection']. Question is are 
multiple instances of this from multiple IPs a DoS possiblility. I assume 
that the connections are kept open if the client connecting doesn't actually 
go away so surely lots of these ocurring at once would overload a server. I 
have googled this and an occasional instance seems normal and could be down 
to a broken client, but lots from different IP addr's at once??

I'm a bit concerned that maybe someone is warming up for a hit or something.

Thanks

Tim

Re: TCP: Treason uncloaked DoS ??

[Andi Kleen]

Tim Kay <timk@advfn.com> writes:
> that the connections are kept open if the client connecting doesn't actually 
> go away so surely lots of these ocurring at once would overload a server. I 
> have googled this and an occasional instance seems normal and could be down 
> to a broken client, but lots from different IP addr's at once??

It is a TCP bug of the other side.

You can safely comment out the printk. It would be interesting however
to find out what the other side is running and yell at the vendor.

> I'm a bit concerned that maybe someone is warming up for a hit or something.

More likely someone released a new buggy TCP stack to the world.

-Andi

Re: TCP: Treason uncloaked DoS ??

[Yven Leist]

On Friday 19 April 2002 18:17, Andi Kleen wrote:
> Tim Kay <timk@advfn.com> writes:
> > that the connections are kept open if the client connecting doesn't
> > actually go away so surely lots of these ocurring at once would overload
> > a server. I have googled this and an occasional instance seems normal and
> > could be down to a broken client, but lots from different IP addr's at
> > once??
>
> It is a TCP bug of the other side.

that's strange, I encountered exactly the same message in my syslog while 
doing backups between two Linux machines, it was somewhere around 2.4.15 I 
think.

> You can safely comment out the printk. It would be interesting however
> to find out what the other side is running and yell at the vendor.
>
> > I'm a bit concerned that maybe someone is warming up for a hit or
> > something.
>
> More likely someone released a new buggy TCP stack to the world.

Is it possible that there are other things which can cause this? 
Or does it really mean that Linux has a buggy TCP stack!? 
I simply cannot believe this ;-)
cheers,
Yven

-- 

Yven Johannes Leist - leist@beldesign.de
http://www.leist.beldesign.de

Re: TCP: Treason uncloaked DoS ??

[Klaus Ethgen]

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

I hope I can post to the Kernel Mailinglist if I am not subscribed...

The subject is very long done. But I have not found useful answers to
this strange kernel log message.

You wrote:
> It is a TCP bug of the other side.
> 
> You can safely comment out the printk. It would be interesting however
> to find out what the other side is running and yell at the vendor.
> 
> ...
> 
> More likely someone released a new buggy TCP stack to the world.

Well I have the same every night when my backup on the local host is
running. Many of the "kernel: TCP: Treason uncloaked! Peer
192.168.17.2:2988/33016 shrinks window 3035402428:3035418812. Repaired."

But 192.168.17.2 is the same host! So the buggy TCP stack seams to be in
linux kernel.

By the way, I run 2.4.24.

For answers please address me direct as I'm not subscribet to the list.

Regards
   Klaus
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQEVAwUBQDM+DJ+OKpjRpO3lAQHdAAgAq9WbDQDVuQVphZp99kH4rqQe2iQZEep/
GDCavKxNTLU5/SkPIFjTJVZM9+KEea9toVE4H+vFfrP5bCfrU2lEbqH4vksPXvxy
JP2sNjFGmdRYaDEKMHYmC8kfcwMsD+sUTOT+KVjH75+ZI74yBSPdAmXK7ca196Dq
8HzQrrj+XtDEJlh93cbRKPmbvcODl1pNiRdZYRk7BtFp+TlSNW19ypE8NQKSLysV
o+ccsXQ99Fb3h5hYFr2Pn7qNp77RCsTeg0NZorA+s4ySuoa68abxIznveZNMsKCx
y87TxdQEZaJbcFPkv8aeRfLK4c1/gKpUQgMeKXgThRMy6cmALFsSdA==
=pY9J
-----END PGP SIGNATURE-----

Re: TCP: Treason uncloaked DoS ??

[Chris Wedgwood]

On Wed, Feb 18, 2004 at 11:27:25AM +0100, Klaus Ethgen wrote:

> Well I have the same every night when my backup on the local host is
> running. Many of the "kernel: TCP: Treason uncloaked! Peer
> 192.168.17.2:2988/33016 shrinks window 3035402428:3035418812. Repaired."

> But 192.168.17.2 is the same host! So the buggy TCP stack seams to
> be in linux kernel.

My guess is there is a PacketShaper in between mangling things.


  --cw

Re: [KERNEL] Re: TCP: Treason uncloaked DoS ??

[Klaus Ethgen]

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

Am Mi den 18. Feb 2004 um 11:55 schriebst Du:
> > But 192.168.17.2 is the same host! So the buggy TCP stack seams to
> > be in linux kernel.
> 
> My guess is there is a PacketShaper in between mangling things.

Well, not on this interface. only on my other.

But maybe there is some "interference" between the tc on eth0 and the
eth1...

Gruß
   Klaus
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQEVAwUBQDNdhZ+OKpjRpO3lAQG46Qf7BTUtf6mafU6AdpHnzNJ6C04YvC4eYND/
SYUg3OKj0Ffm1jh8li52rdBm22jP05xYxm8DAOUfI9GH3d8ZV2E3MgZ8eqsa5zGx
kqeuPbyk6Emy4eezhdEdmn4VrK4l12ORiefWNmOFzC2vLwSub5palgWGITFxtfLx
FC3If3oChA9SWSkfo1eDoVomM+WTxy7HW2GvNdA4BaFOwW5E/7mgGhB+LuXf1cP+
J8Sc3+Q4+BLyCQFSeNCb5/TgxfC1sVE+JkcxUjGzHvmvz5hySoMUwXq0JN4fKgqH
EboaO2lnPvOuEhzAxSjahCPpy2QEB6pUNpn0/gmkIolfLIvQIzazPQ==
=D/C7
-----END PGP SIGNATURE-----

Re: [KERNEL] Re: TCP: Treason uncloaked DoS ??

[Chris Wedgwood]

On Wed, Feb 18, 2004 at 01:41:41PM +0100, Klaus Ethgen wrote:

> Well, not on this interface. only on my other.

So you have a packetshaper then?  By this I mean a PacketShaper from
packeteer (http://packeteer.com/prod-sol/products/packetshaper.cfm).

> But maybe there is some "interference" between the tc on eth0 and
> the eth1...

I can't see how, but I don't know your setup and/or config. to
determine what the packet path is.

If there is a PacketShaper near the machine, I'm going to suggest
taking that away and see if this message goes away.  If it's upstream
of course you can't do this.



  --cw

Re: [KERNEL] Re: [KERNEL] Re: TCP: Treason uncloaked DoS ??

[Klaus Ethgen]

-----BEGIN PGP SIGNED MESSAGE-----

Hello,

Am Mi den 18. Feb 2004 um 13:48 schriebst Du:
> So you have a packetshaper then?  By this I mean a PacketShaper from
> packeteer (http://packeteer.com/prod-sol/products/packetshaper.cfm).

No, only the kernel own htb shaper. And it is on the other interface.

> I can't see how, but I don't know your setup and/or config. to

Me too. But this exactely is my problem.

> If there is a PacketShaper near the machine, I'm going to suggest
> taking that away and see if this message goes away.  If it's upstream
> of course you can't do this.

After this tip that it could be tu do with the TC on the other interface
I will try this out this night.

Regards
   Klaus
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQEVAwUBQDNhO5+OKpjRpO3lAQHw3QgAkJKfGdcLVGzUJEGBX0kOSCdufb/yxDXt
Y5/V2t4RkWN9wwnRc58u/Ga/S7acUeK7vMOLTyioLY2DI12JXOKugfTsGPnm7qmc
qgpVnZ0u0exsUJZHgtbe9ezW3Yot0U7yQv+VDidT28ieGMj1PrY8p0D0zc2hnMU8
iJcmoHeThK4JCw25Uu0jxTfx/LE5XIjp23LRwKJY3UOmjH4MQpJbJH2Sz7uycfX8
V4NXzK+t2LiCX01jT/diuRcvEZ95IkOxrspuy0OHd9L7Gi4dWYDVueLwBSM6apBO
B4AEKWrzzzkqKLxgiWh64fXq/wqWi3rvdR0hu/w8TG+QDBEcltOPog==
=7JRR
-----END PGP SIGNATURE-----

Re: [KERNEL] Re: [KERNEL] Re: TCP: Treason uncloaked DoS ??

[Chris Wedgwood]

On Wed, Feb 18, 2004 at 01:57:31PM +0100, Klaus Ethgen wrote:

> After this tip that it could be tu do with the TC on the other
> interface I will try this out this night.

Last I checked the TC doesn't mess with the window size...  has this
changed?

Re: TCP: Treason uncloaked DoS ??

[Zan Lynx]

[-- Attachment #1: Type: text/plain, Size: 850 bytes --]

On Wed, 2004-02-18 at 03:55, Chris Wedgwood wrote:
> On Wed, Feb 18, 2004 at 11:27:25AM +0100, Klaus Ethgen wrote:
> 
> > Well I have the same every night when my backup on the local host is
> > running. Many of the "kernel: TCP: Treason uncloaked! Peer
> > 192.168.17.2:2988/33016 shrinks window 3035402428:3035418812. Repaired."
> 
> > But 192.168.17.2 is the same host! So the buggy TCP stack seams to
> > be in linux kernel.
> 
> My guess is there is a PacketShaper in between mangling things.

I have seen this same Treason uncloaked! error message between two of my
Linux systems recently, while running rsync backups between them.  One
system is 2.4.21, the other 2.6.2.  I was not using any shaping.

I was trying to figure it out, but I cannot reproduce it reliably, it
seems to just happen.
-- 
Zan Lynx <zlynx@acm.org>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]