Friday, March 26, 2010

TCP: Treason uncloaked! Peer shrinks window Repaired.

SkyHi @ Friday, March 26, 2010

This is not causing the webserver slowness, or any crashes. Nor is it a kernel bug! What happens is that a client tries to shrink the TCP window. This would not be catastrophic anyway, BUT your kernel ignores/prevents this, so it should have absolutely no effect. That's why it says "Repaired." at the end.

It could be a broken router or broken/old OS on a hacked machine that is used for portscanning. It's not an attack because it does nothing, even if the kernel didn't prevent this all it would do is slow down the speed at which the server sends out data on that particular connection. Slow send can cause more overall Apache processes, but if you only see this a couple of times it's probably not an attack. Anyways, in 2007 nobody should use the preforking Apache MPM.


May 11, 2007 - 12:27am

I think the problem is not the error recovery code is not there, but that is is not fast enough and robust enough to handle a lot of these "window shrinkages". "Repaired", but how quickly?

Normally I am the first to recommend all the latest code. That means Apache 2.2.4 and kernel (as of 20070511). I'd like to see if anyone gets these problems with that combination.

I know that instead, people set up so-called "Enterprise" web servers running old kernels and old 1.3.X Apache (their "management" feels much more supported and would forbid anything else). I agree that those who do that deserve to crash, and should contact their so-called "enterprise support" when they get a crash. However, Apache is userspace and there are people reporting hangs/crashes with kernel 2.6.21. We are all reassured now by you that the old Apache causing these problems, perhaps that's why telnet port 23 can also shrink the TCP window?

The only reason for agreeing with you is that major enterprises rely on Linux web servers and if they could all be brought down by "treason uncloaked" then they would be, and they would demand an immediate fix. So perhaps a web server listening only on ports 80 and 443 is immune. Or maybe one with the kernel built properly, without enabling every single feature as "Y" or "M"? (i.e. Redhat, Suse, etc. "Enterprise").

Any moron who has port 23 open for telnet on a web server does deserve to crash.

So shame on all of you who are running web servers with old, so-called "stable enterprise" code. "Mr. Anonymous" tells us that your server crash is either caused by running old "stable" code, or that your crash "doesn't matter". I just wonder if Mr. Anonymous lives in Rumania, in charge of the spambot/phishing/identity theft project ... Don't try to fix the "treason uncloaked" problem, he needs this vulnerability to feed his family.


The below script may work a little better... Note that you'll need a rule in your firewall script to create the TREASON rule set, and jump to it in the beginning, and make a cronjob to run the script so it's automagic.

Something like the following should be in your main firewall script:


iptables -F TREASON

iptables -X TREASON

iptables -N TREASON

... (your rest of the rules)

iptables -j TREASON # insert before state established and other lines


Then, the below script should be in a cronjob (run once every whatever interval you feel fit).



# Stupid shell script to stop stupid TCP Treason attacks

# Setup cronjob to stop them

# First, flush and clean Treason rules

iptables -F TREASON

#iptables -X TREASON

#iptables -N TREASON

for ATTACKER_IP in $(dmesg | grep 'Treason uncloaked!' | cut -d' ' -f5 | cut -d':' -f1 | sort --unique)



for DONTBLOCK in $(route -n | grep -v Destination | grep -v Kernel | awk '{print $2}' | sort | uniq && ifconfig -a | grep inet | cut -f 2 -d ':' | cut -f 1 -d ' ' | sort | uniq)


# echo "Checking $DONTBLOCK against $ATTACKER_IP ..."

if [ "$DONTBLOCK" = "$ATTACKER_IP" ]; then

# echo "UHOH! Hacker using forged local IP! Don't block it!"




if [ "$FOUNDIT" = "0" ]; then

# echo "Hacker IP $ATTACKER_IP not found in don't block list... Dropping"

iptables -A TREASON -s $ATTACKER_IP/32 -j DROP



iptables -A TREASON -j RETURN