Re: Attack or problem?

To: debian-security@lists.debian.org
Subject: Re: Attack or problem?
From: Jeff <jcoppock1@attbi.com>
Date: Sat, 21 Sep 2002 07:36:24 -0700
Message-id: <[🔎] 20020921143624.GA3244@jc.oftheinter.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 15756.16678.956432.864495@proizd.camtp.uni-mb.si>
References: <[🔎] 15756.16678.956432.864495@proizd.camtp.uni-mb.si>

CAMTP guest, 2002-Sep-21 11:51 +0200:
> My www/ftp server has an uptime of 380 days and is still running 
> potato and 2.4.9 kernel. I have notice the following in todays
> kernel.logs:
> 
> ...
> Sep 21 09:15:54 host kernel: UDP: bad checksum. From 65.96.240.162:29372 to X.Y.Z.W:33481 ulen 20
> Sep 21 09:15:54 host kernel: UDP: bad checksum. From 65.96.240.162:29372 to X.Y.Z.W:33463 ulen 20
> Sep 21 09:15:54 host kernel: TCP: Treason uncloaked! Peer 66.28.13.251:3700/80 shrinks window 1554281757:1554289905. Repaired.
> ...
> Sep 21 09:15:54 host kernel: TCP: Treason uncloaked! Peer 66.28.13.251:3700/80 shrinks window 1555215717:1555220969. Repaired.
> Sep 21 09:15:54 host kernel: UDP: bad checksum. From 208.59.175.234:33118 to X.Y.Z.W:33547 ulen 20
> Sep 21 09:15:54 host kernel: UDP: bad checksum. From 208.59.175.234:33118 to X.Y.Z.W:33532 ulen 20
> ...
> 
> Is this a kernel problem, hardware or an attack attempt?
> 
> -Igor Mozetic

I found an explanation here:

http://online.securityfocus.com/archive/91/201479/2001-07-28/2001-08-03/0

Basically, TCP window shrinking is no longer in the current TCP spec.
So the source is an old TCP stack or some application doing this on
purpose for whatever reason.

jc

--
Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User

Reply to:

References:
- Attack or problem?
  - From: CAMTP guest <camtp.guest@uni-mb.si>

Prev by Date: Re: I dont understand that
Next by Date: Re: SSL problems in woody (slapper)
Previous by thread: Attack or problem?
Next by thread: subscribe
Index(es):
- Date
- Thread