TCP receive window set to 0; DoS or not?

billn at billn.net billn at billn.net
Thu Sep 7 22:04:58 UTC 2006



> I've been seeing some systems that stop serving pages, and I also see
> the Linux "Treason Uncloaked!" kernel messages that indicate a remote
> system reduced its rcv win from 1 to 0... is there a non-malicious
> explanation for this, aside from a remote host running out of socket
> buffers?  Seems to happen too often for that to be the case, and
> my googling has shown that it may be outside of spec.  Certainly
> the warning is clear enough...

I've seen this, quite a bit, on some heavy traffic web clusters. Some 
impolite web browsers will shrink the TCP window to kill the socket 
connection instead of a proper fin/reset. 

- billn



More information about the NANOG mailing list