Re: TCP: tcp_parse_options: Illegal window scaling value 15 > 14 received
Hi Michael,
> On Sep 7, 2022, at 5:49 AM, Michael Grant <mgrant@grant.org> wrote:
>
> I'm seeing this error over and over in /var/log/messages:
>
> Sep 6 05:02:42 hostname kernel: [408794.655182] TCP: tcp_parse_options: Illegal window scaling value 15 > 14 received
> Sep 6 05:02:43 hostname kernel: [408794.830639] TCP: tcp_parse_options: Illegal window scaling value 15 > 14 received
> Sep 6 05:02:43 hostname kernel: [408794.960811] TCP: tcp_parse_options: Illegal window scaling value 15 > 14 received
> Sep 6 05:02:43 hostname kernel: [408795.180464] TCP: tcp_parse_options: Illegal window scaling value 15 > 14 received
>
> I've not been able to find much about these messages by searching,
> nothing useful is coming up. Is anyone else seeing something like
> this?
This is consistent with RFC 7323, Section 2.3 [1], which states:
"If a
Window Scale option is received with a shift.cnt value larger than
14, the TCP SHOULD log the error but MUST use 14 instead of the
specified value."
> Is this some sort of attack?
I am not sure. But the purpose of keeping the window scale below 15 is to "insure that new data is never mistakenly considered old and vice versa" [1]. In any case, it seems to me that 1) your kernel appears to be handling it properly (hence the logs) and 2) even if it weren't, it doesn't *seem* like a problem for the server as much as for the entity that wanted the data. Just my $0.02.
Interestingly, I happen to have some software using different window scale values in its interactions with Internet servers. I just yesterday discovered a bug which was occasionally allowing 15 to be used as a window scale value, and I have corrected that. I don't know if my software was responsible for the log messages that Michael observed, but I have reached out off-list to investigate.
Casey
[1] https://www.rfc-editor.org/rfc/rfc7323.html
Reply to: