Treason uncloaked!
I just got an email from logcheck consisting of lines similar to the following:
kernel: TCP: Treason uncloaked! Peer 218.69.139.x:43090/80 shrinks window 1468046648:1468049476. Repaired.
Treason uncloaked! Fantastic. Another unintelligible, jocular message flagging unusual error conditions. Very “printer on fire”. (Either that, or a babelfish translation of something that sounded reasonable. And to be fair, you’ll only see it if TCP debugging is turned on.)
Considering the use of the exclamation mark, it’s not clear if the uncloaking of treason (mine or others?) is anything to worry about. ”Repaired” is reassuring, I suppose - but might this a symptom of a fresh exploit? A new worm?
Googling suggests that it’s a bugfix from linux 2.4.7 for dealing with broken TCP implementations. The code explains itself as:
/* Receiver dastardly shrinks window. Our retransmits * become zero probes, but we should not timeout this * connection. If the socket is an orphan, time it out, * we cannot allow such beasts to hang infinitely. */
I especially like the use of “dastardly” in the comments. From now on kernel messages, for me, will have voice of an announcer on some pulpy 30s radio serial. “Who knows what evil lurks in the packets of men? RFC3514 knows…”.
