Treason uncloaked

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a web server that goes down every once in a while. I have to manually restart. It is running RHL 7.3 with 2.4.20-28.7 for the kernel with Apache/1.3.27. When I run dmesg, I get the following messages:
TCP: Treason uncloaked! Peer 213.181.83.194:3736/80 shrinks window 4255495905:4255495906. Repaired.
TCP: Treason uncloaked! Peer 213.181.83.194:3736/80 shrinks window 4255495905:4255495906. Repaired.
TCP: Treason uncloaked! Peer 217.26.84.76:17932/80 shrinks window 3332120819:3332120820. Repaired.
TCP: Treason uncloaked! Peer 217.26.84.76:17932/80 shrinks window 3332120819:3332120820. Repaired.
There were more. Mainly from these two addresses, but there were others. Also some of them were for port 443 (yes, I know...https) instead of 80.
in the httpd logs I find that the 217 IP listed above is using Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
The 213 IP shows Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
So I don't really think it is a specific browser problem like some of the info I found on the web said.

The /var/log/httpd/ssl_engine_log only shows one entry for:
/Feb/2004 07:25:59 11018] [error] SSL handshake timed out (client 217.26.84.76, server www.mysite.org:443)

I have been googling around on the web and find a lot of info about it, but nothing that I understand unless we are getting a DOS attack against us. The closest thing that sounded like something that I could half way understand was:
"when a client attempts to resize the packet window after the connection has been established. It's either a buggy client (buggy web browser or something) or someone is trying to do a silly DOS attack by having the linux kernel consume all it's TCP buffer and so new connections will lag. "
I don't quite understand the resizing of the packet window. But do understand a DOS attack. Anyway, by the looks of it everybody who had this problem (that I found googling) was running an older operating system like RHL 7.3. Only one instance did I find that someone was getting these messages on a newer OS than 7.3. That was on RHL 8. So, would it be logical to assume that if I upgrade the OS to, lets say RHEL 4, that I probably wouldn't get these messages anymore? Was it a bug or security whole that was fixed? Is it in Apache? Or would it be something else?

Thanks
Steve



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

  Powered by Linux