Treason uncloaked
Plagued by these messages in your Linux server’s kernel log – kern.log? Finally tracked down a reasonable explanation this morning. Seems a bug was introduced in the kernel back in 2.6.8 and it causes, among other troubles, this error message:
Jan 17 12:30:13 iml kernel: TCP: Treason uncloaked! Peer 134.48.120.88:3832/80 shrinks window 3881756777:3881761622. Repaired.
Jan 21 12:43:14 iml kernel: TCP: Treason uncloaked! Peer 134.48.160.49:3589/80 shrinks window 3470163299:3470170199. Repaired.
Jan 21 12:43:16 iml kernel: TCP: Treason uncloaked! Peer 134.48.160.49:3589/80 shrinks window 3470163299:3470170199. Repaired.
Feb 21 10:55:31 iml kernel: TCP: Treason uncloaked! Peer 129.63.210.68:1698/80 shrinks window 689079013:689079178. Repaired.
Mar 6 12:15:52 iml kernel: TCP: Treason uncloaked! Peer 129.3.26.40:1169/80 shrinks window 1137168861:1137173706. Repaired.
Mar 6 12:15:52 iml kernel: TCP: Treason uncloaked! Peer 129.3.26.40:1169/80 shrinks window 1137168861:1137173706. Repaired.
Mar 6 16:42:13 iml kernel: TCP: Treason uncloaked! Peer 129.3.26.162:1160/80 shrinks window 795072392:795074477. Repaired.
Mar 6 16:43:19 iml kernel: TCP: Treason uncloaked! Peer 129.3.26.162:1160/80 shrinks window 795072392:795074477. Repaired.
Mar 6 16:44:24 iml kernel: TCP: Treason uncloaked! Peer 129.3.26.162:1160/80 shrinks window 795072392:795074477. Repaired.
Have a look at this page:
http://linux.derkeiler.com/Mailing-Lists/Kernel/2006-03/msg03750.html
These folks seem to have found that a bug in the kernel is causing these messages rather than an attacker. If that’s the case, our adding rules to the firewall to block those IPs will cut off users of our sites that probably aren’t doing anything wrong.
Best,
Mike