[92117] in North American Network Operators' Group
Re: TCP receive window set to 0; DoS or not?
daemon@ATHENA.MIT.EDU (billn@billn.net)
Thu Sep 7 18:03:12 2006
Date: Thu, 7 Sep 2006 15:04:58 -0700 (MST)
From: billn@billn.net
To: Travis Hassloch <travis.hassloch@rackspace.com>
Cc: nanog@merit.edu
In-Reply-To: <45008F91.9010304@rackspace.com>
Errors-To: owner-nanog@merit.edu
> I've been seeing some systems that stop serving pages, and I also see
> the Linux "Treason Uncloaked!" kernel messages that indicate a remote
> system reduced its rcv win from 1 to 0... is there a non-malicious
> explanation for this, aside from a remote host running out of socket
> buffers? Seems to happen too often for that to be the case, and
> my googling has shown that it may be outside of spec. Certainly
> the warning is clear enough...
I've seen this, quite a bit, on some heavy traffic web clusters. Some
impolite web browsers will shrink the TCP window to kill the socket
connection instead of a proper fin/reset.
- billn
