Re: Treason uncloaked!

From: stephen@acgroup.ucsc.edu
Date: 08/02/01 

Date: Thu, 2 Aug 2001 12:59:56 -0700 (PDT)
From: <stephen@acgroup.ucsc.edu>
To: Inspector <piracy@frauddivision.com>
Subject: Re: Treason uncloaked!
Message-ID: <Pine.GSO.4.31.0108021259320.2433-100000@cavecanem.ucsc.edu>

Until proven otherwise, I would suggest you are seeing either:

1) An "old" (read "broken") TCP stack on the receiver. The original
RFC (793 IIRC) allowed this behavior -- RFC 1122 (?) corrected this by
prohibiting the RECEIVER from
doing this.

2) Some mobile HTTP clients which, in order to get only the first
portion of an HTTP document, purposely(!!!) set a small initial window
size and don't allow it to move (until/if the user requests "more" of
the document, at which time they send ACK, thus reopening the window).

Presumably, it COULD be some lame attempt at a DOS attack; since you saw
it only twice, I would say the chance of it being 1) or 2) is
extremely close to 100%.

Above quoted from www.google.com

Stephen Hauskins
Academic Computing Group
Natural Sciences Division

Omnia iam fient fieri quae posse negabam

On 2 Aug 2001, Inspector wrote:

> I was looking at my logs this morning and found the two following lines inside:
>
> Aug 1 16:38:10 mydotcom kernel: TCP: Treason uncloaked! Peer 24.200.94.63:37331/80 shrinks window 3176552165:3176564729. Repaired.
> Aug 1 16:38:14 mydotcom kernel: TCP: Treason uncloaked! Peer 24.200.94.63:37331/80 shrinks window 3176552165:3176564729. Repaired.
>
> I don' t know what those two lines mean but I know who had this ip at this moment. Does anybody knows what this is and what I should do about it?
>
> Thank You
>
> Marc
>
> <em>The conquering penguin of the tribe of UNIX</em>
>