Re: Treason uncloaked!From: firstname.lastname@example.org
- Previous message: Inspector: "Treason uncloaked!"
- In reply to: Inspector: "Treason uncloaked!"
- Next in thread: Jonathan Care: "RE: Treason uncloaked!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 2 Aug 2001 12:59:56 -0700 (PDT) From: <email@example.com> To: Inspector <firstname.lastname@example.org> Subject: Re: Treason uncloaked! Message-ID: <Pine.GSO.email@example.com>
Until proven otherwise, I would suggest you are seeing either:
1) An "old" (read "broken") TCP stack on the receiver. The original
RFC (793 IIRC) allowed this behavior -- RFC 1122 (?) corrected this by
prohibiting the RECEIVER from
2) Some mobile HTTP clients which, in order to get only the first
portion of an HTTP document, purposely(!!!) set a small initial window
size and don't allow it to move (until/if the user requests "more" of
the document, at which time they send ACK, thus reopening the window).
Presumably, it COULD be some lame attempt at a DOS attack; since you saw
it only twice, I would say the chance of it being 1) or 2) is
extremely close to 100%.
Above quoted from www.google.com
Academic Computing Group
Natural Sciences Division
Omnia iam fient fieri quae posse negabam
On 2 Aug 2001, Inspector wrote:
> I was looking at my logs this morning and found the two following lines inside:
> Aug 1 16:38:10 mydotcom kernel: TCP: Treason uncloaked! Peer 22.214.171.124:37331/80 shrinks window 3176552165:3176564729. Repaired.
> Aug 1 16:38:14 mydotcom kernel: TCP: Treason uncloaked! Peer 126.96.36.199:37331/80 shrinks window 3176552165:3176564729. Repaired.
> I don' t know what those two lines mean but I know who had this ip at this moment. Does anybody knows what this is and what I should do about it?
> Thank You
> <em>The conquering penguin of the tribe of UNIX</em>