Treason uncloaked! i debug loggen

Diskussion kring säkerhet och nätverk.
Post Reply
hedin
Posts: 26
Joined: 12 February 2007, 20:12

Treason uncloaked! i debug loggen

Post by hedin » 11 March 2007, 18:02

Hallå.
Har fått något konstigt i debug loggen. Det här fick jag idag o kickat tillbaka och ser att det har inträffat 3 gånger innan, men från en annan adress.

Code: Select all

Mar 11 15:00:00 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4145389127:4145391951. Repaired.
Mar 11 15:00:58 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4146205263:4146208087. Repaired.
Mar 11 15:01:28 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4146518727:4146521551. Repaired.
Mar 11 15:01:38 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4146620391:4146623215. Repaired.
Mar 11 15:01:50 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4146738999:4146741823. Repaired.
Mar 11 15:01:57 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4146806775:4146809599. Repaired.
Mar 11 15:02:02 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4146857607:4146860431. Repaired.
Mar 11 15:02:02 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4146857607:4146860431. Repaired.
Mar 11 15:02:30 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4147128711:4147131535. Repaired.
Mar 11 15:02:42 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4147238847:4147241671. Repaired.
Mar 11 15:02:51 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4147319331:4147322155. Repaired.
Mar 11 15:03:00 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4147404051:4147406875. Repaired.
Mar 11 15:03:08 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4147488771:4147491595. Repaired.
Mar 11 15:03:19 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4147590435:4147593259. Repaired.
Mar 11 15:03:20 Server kernel: TCP: Treason uncloaked! Peer 84.217.171.70:56727/49186 shrinks window 4147590435:4147593259. Repaired.
Det här är den sista och längsta av dom, är alltså inte längre än det här.

Googlat lite på det o det verkar vara någon form av DoS attack.
http://www.linuxquestions.org/questions ... p?t=127984
http://kerneltrap.org/node/7182

Har inte märkt av det på servern.
Va ska man göra åt det?

mikma
Posts: 3349
Joined: 10 July 2003, 21:19

Post by mikma » 11 March 2007, 18:19

Du skulle kunna svartlista adressen, men jag misstänker att det är en dynamisk ip-adress eftersom det verkar användas av Glocalnet-kunder.

hedin
Posts: 26
Joined: 12 February 2007, 20:12

Post by hedin » 11 March 2007, 19:02

Antagligen, här är dom 3 tidigare händelserna.

Code: Select all

Mar  6 13:45:07 Server kernel: TCP: Treason uncloaked! Peer 85.10.9.91:58377/49175
Mar  8 16:53:16 Server kernel: TCP: Treason uncloaked! Peer 84.217.139.128:54523/49197
Mar 10 18:29:12 Server kernel: TCP: Treason uncloaked! Peer 87.227.119.43:54921/49197
Hittade ett script som kan kanske hjälpa

Code: Select all

#!/bin/bash

# Stupid shell script to stop stupid TCP Treason attacks
# Setup cronjob to stop them

# First, flush and clean Treason rules
iptables -F TREASON
#iptables -X TREASON
#iptables -N TREASON

for ATTACKER_IP in $(dmesg | grep 'Treason uncloaked!' | cut -d' ' -f5 | cut -d':' -f1 | sort --unique)
do

FOUNDIT=0

for DONTBLOCK in $(route -n | grep -v Destination | grep -v Kernel | awk '{print $2}' | sort | uniq && ifconfig -a | grep inet | cut -f 2 -d ':' | cut -f 1 -d ' ' | sort | uniq)
do
# echo "Checking $DONTBLOCK against $ATTACKER_IP ..."
if [ "$DONTBLOCK" = "$ATTACKER_IP" ]; then
# echo "UHOH! Hacker using forged local IP! Don't block it!"
FOUNDIT=1
fi
done

if [ "$FOUNDIT" = "0" ]; then
# echo "Hacker IP $ATTACKER_IP not found in don't block list... Dropping"
iptables -A TREASON -s $ATTACKER_IP/32 -j DROP
fi
done
iptables -A TREASON -j RETURN
Men även hittat att det kanske kan vara en kernel bug. Men det är 2.6.14 o jag kör med 2.6.19.2 så borde vell ha blivit fixat?
http://linux.derkeiler.com/Mailing-List ... 03750.html

Post Reply