Re: [gentoo-user] "Treason uncloaked!" solution?
On Fri, 24 Aug 2007 20:17:17 +0200 Hans-Werner Hilse <[EMAIL PROTECTED]> wrote: > Hi, > > On Thu, 23 Aug 2007 12:55:06 -0500 > Dan Farrell <[EMAIL PROTECTED]> wrote: > > > > It usually means that the other side of the TCP > > > connection reduced the window to zero size, thus leading stupid > > > TCP stacks to save information on a basically starved connection. > > > The kernel just sends an information to the log, so in case if you > > > recognize the IP and are in charge of the sender, you'll know > > > that it has a very broken TCP stack. Essentially: Just ignore > > > it, if the sender IP doesn't belong to one of your own networks. > > > > > I found a line in my Treason-related output that pointed to an > > internal IP on a distcc port. Should I be worried about this > > computer? It's running a brand new gentoo install and is solely > > for the purpose of distcc. > > Hm. I don't think so, but I'm not that deep into TCP that I could > easily tell some circumstances when such things can happen and if it > indicates a bug by all means. > > There might be a slight possibility that the packet sender was forged. > Additionally, when inside a potentially hostile LAN, you can't trust > any IP adresses. > > If it's just a single line, I'd ignore it, I think. But there's no > good reason I could give for that proposal, except of some absent > feeling that anything would be wrong. > > -hwh OK, Thanks. I am going to put | iptables -I INPUT -s 192.168.0.0/16 -i eth1 -j DROP into my firewall and see if any packets hit it I guess. It would be good to know > It depends on your uplink whether such packets can get through. whether or not that applies to mine (comcast); I thought I tested it but I suppose it probably depends on the other side of the connection as well. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] "Treason uncloaked!" solution?
Hi, On Thu, 23 Aug 2007 12:55:06 -0500 Dan Farrell <[EMAIL PROTECTED]> wrote: > > It usually means that the other side of the TCP > > connection reduced the window to zero size, thus leading stupid TCP > > stacks to save information on a basically starved connection. The > > kernel just sends an information to the log, so in case if you > > recognize the IP and are in charge of the sender, you'll know that it > > has a very broken TCP stack. Essentially: Just ignore it, if the > > sender IP doesn't belong to one of your own networks. > > > I found a line in my Treason-related output that pointed to an internal > IP on a distcc port. Should I be worried about this computer? It's > running a brand new gentoo install and is solely for the purpose of > distcc. Hm. I don't think so, but I'm not that deep into TCP that I could easily tell some circumstances when such things can happen and if it indicates a bug by all means. There might be a slight possibility that the packet sender was forged. It depends on your uplink whether such packets can get through. Additionally, when inside a potentially hostile LAN, you can't trust any IP adresses. If it's just a single line, I'd ignore it, I think. But there's no good reason I could give for that proposal, except of some absent feeling that anything would be wrong. -hwh -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] "Treason uncloaked!" solution?
On Wed, 22 Aug 2007 23:48:55 +0200 Hans-Werner Hilse <[EMAIL PROTECTED]> wrote: > Hi, > > On Wed, 22 Aug 2007 12:18:16 -0700 > Grant <[EMAIL PROTECTED]> wrote: > > > Sometimes I get "Treason uncloaked!" in dmesg when running > > bittorrent. The solution here: > > > > http://www.linuxquestions.org/questions/showthread.php?t=127984 > > > > is: > > > > You'd best set iptables to block all packets from BOGON networks > > (nets that shouldn't exist) so you can avoid this type of attack. > > You may find a list of bogon nets here. Note: unallocated nets > > change from time to time! Just in November IANA allocated two more > > blocks to RIPE, so you really need to pay attention if you're > > blocking all bogon IPs. > > > > Which doesn't sound great. What would you guys recommend I do? I > > use a Gentoo router. > > Hm, I don't think that those "attacks" (which do no harm to Linux > systems since some 1.x version of the kernel -- the warning is a > reminiscence) will always come from wrong nets. I have those > occasionally on all my larger server installs and never really > bothered about them. It usually means that the other side of the TCP > connection reduced the window to zero size, thus leading stupid TCP > stacks to save information on a basically starved connection. The > kernel just sends an information to the log, so in case if you > recognize the IP and are in charge of the sender, you'll know that it > has a very broken TCP stack. Essentially: Just ignore it, if the > sender IP doesn't belong to one of your own networks. > > -hwh I found a line in my Treason-related output that pointed to an internal IP on a distcc port. Should I be worried about this computer? It's running a brand new gentoo install and is solely for the purpose of distcc. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] "Treason uncloaked!" solution?
Hi, On Wed, 22 Aug 2007 12:18:16 -0700 Grant <[EMAIL PROTECTED]> wrote: > Sometimes I get "Treason uncloaked!" in dmesg when running bittorrent. > The solution here: > > http://www.linuxquestions.org/questions/showthread.php?t=127984 > > is: > > You'd best set iptables to block all packets from BOGON networks (nets > that shouldn't exist) so you can avoid this type of attack. You may > find a list of bogon nets here. Note: unallocated nets change from > time to time! Just in November IANA allocated two more blocks to RIPE, > so you really need to pay attention if you're blocking all bogon IPs. > > Which doesn't sound great. What would you guys recommend I do? I use > a Gentoo router. Hm, I don't think that those "attacks" (which do no harm to Linux systems since some 1.x version of the kernel -- the warning is a reminiscence) will always come from wrong nets. I have those occasionally on all my larger server installs and never really bothered about them. It usually means that the other side of the TCP connection reduced the window to zero size, thus leading stupid TCP stacks to save information on a basically starved connection. The kernel just sends an information to the log, so in case if you recognize the IP and are in charge of the sender, you'll know that it has a very broken TCP stack. Essentially: Just ignore it, if the sender IP doesn't belong to one of your own networks. -hwh -- [EMAIL PROTECTED] mailing list
[gentoo-user] "Treason uncloaked!" solution?
Sometimes I get "Treason uncloaked!" in dmesg when running bittorrent. The solution here: http://www.linuxquestions.org/questions/showthread.php?t=127984 is: You'd best set iptables to block all packets from BOGON networks (nets that shouldn't exist) so you can avoid this type of attack. You may find a list of bogon nets here. Note: unallocated nets change from time to time! Just in November IANA allocated two more blocks to RIPE, so you really need to pay attention if you're blocking all bogon IPs. Which doesn't sound great. What would you guys recommend I do? I use a Gentoo router. - Grant -- [EMAIL PROTECTED] mailing list
