TCP: Treason uncloaked!

Discussion in 'General' started by vaio1, Nov 18, 2009.

  1. vaio1

    vaio1 ISPConfig Developer ISPConfig Developer

    TCP: Treason uncloaked! DOS Attack?!?

    Hi guys why I get this message?

    Code:
    TCP: Treason uncloaked! Peer 202.162.56.156:32774/80 shrinks window 4292658673:4292661409. Repaired.
    TCP: Treason uncloaked! Peer 202.162.56.156:32775/80 shrinks window 4288253267:4288254350. Repaired.
    TCP: Treason uncloaked! Peer 202.162.56.156:32774/80 shrinks window 4292658673:4292661409. Repaired.
    
    I have read that it can be a DOS Attack!

    Is there a way to use the connlimit option or the iptables, the ipt_limit ?
     
    Last edited: Nov 18, 2009
  2. vaio1

    vaio1 ISPConfig Developer ISPConfig Developer

    What these lines mean?

    Code:
    TCP: Treason uncloaked! Peer 195.166.224.253:3982/80 shrinks window 925469884:925469885. Repaired.
    TCP: Treason uncloaked! Peer 195.166.224.253:3982/80 shrinks window 925469884:925469885. Repaired.
    ip_tables: (C) 2000-2006 Netfilter Core Team
    Netfilter messages via NETLINK v0.30.
    ip_conntrack version 2.4 (8192 buckets, 65536 max) - 228 bytes per conntrack
    
    Thanks
     
  3. Mark_NL

    Mark_NL New Member

    These messages can mean alot of things actually ..

    I've did some research on the web about these since i've them on my webservers as well. They say it can be alot of things: tarpit attacks, buggy TCP stacks, buggy nic card drivers, spam bots, denial of service attacks,bandwidth shaper effects.

    But i'm thinking it has something to do with the TCP queue on the machine. So i'd say as long as it's not a high traffic server and your production environment is not bothered by it, ignore it. As i said before, we have 100's of these lines in our logfiles every week and our servers keep on running.

    Code:
    ip_tables: (C) 2000-2006 Netfilter Core Team
    Netfilter messages via NETLINK v0.30.
    ip_conntrack version 2.4 (8192 buckets, 65536 max) - 228 bytes per conntrack
    This just means iptables is loaded and is able to use connection tracking.
     
  4. vaio1

    vaio1 ISPConfig Developer ISPConfig Developer

    Thanks Mark_NL.

    As you can see in the file attached there is not a big traffic in this server.
     

    Attached Files:

Share This Page