TCP receive window set to 0; DoS or not?
billn at billn.net
billn at billn.net
Thu Sep 7 22:04:58 UTC 2006
> I've been seeing some systems that stop serving pages, and I also see
> the Linux "Treason Uncloaked!" kernel messages that indicate a remote
> system reduced its rcv win from 1 to 0... is there a non-malicious
> explanation for this, aside from a remote host running out of socket
> buffers? Seems to happen too often for that to be the case, and
> my googling has shown that it may be outside of spec. Certainly
> the warning is clear enough...
I've seen this, quite a bit, on some heavy traffic web clusters. Some
impolite web browsers will shrink the TCP window to kill the socket
connection instead of a proper fin/reset.
- billn
More information about the NANOG
mailing list