CAMTP guest, 2002-Sep-21 11:51 +0200: > My www/ftp server has an uptime of 380 days and is still running > potato and 2.4.9 kernel. I have notice the following in todays > kernel.logs: > > ... > Sep 21 09:15:54 host kernel: UDP: bad checksum. From 65.96.240.162:29372 to > X.Y.Z.W:33481 ulen 20 > Sep 21 09:15:54 host kernel: UDP: bad checksum. From 65.96.240.162:29372 to > X.Y.Z.W:33463 ulen 20 > Sep 21 09:15:54 host kernel: TCP: Treason uncloaked! Peer > 66.28.13.251:3700/80 shrinks window 1554281757:1554289905. Repaired. > ... > Sep 21 09:15:54 host kernel: TCP: Treason uncloaked! Peer > 66.28.13.251:3700/80 shrinks window 1555215717:1555220969. Repaired. > Sep 21 09:15:54 host kernel: UDP: bad checksum. From 208.59.175.234:33118 to > X.Y.Z.W:33547 ulen 20 > Sep 21 09:15:54 host kernel: UDP: bad checksum. From 208.59.175.234:33118 to > X.Y.Z.W:33532 ulen 20 > ... > > Is this a kernel problem, hardware or an attack attempt? > > -Igor Mozetic
I found an explanation here: http://online.securityfocus.com/archive/91/201479/2001-07-28/2001-08-03/0 Basically, TCP window shrinking is no longer in the current TCP spec. So the source is an old TCP stack or some application doing this on purpose for whatever reason. jc -- Jeff Coppock Systems Engineer Diggin' Debian Admin and User
