TCP: Treason uncloaked - attacks , smartdefense solutions ?

My webserver log is filling up with these :

...
TCP: Treason uncloaked! Peer 64.201.33.162:61377/80 shrinks
window
3086856954:3086856955. Repaired.
TCP: Treason uncloaked! Peer 64.201.33.162:61404/80 shrinks
window
3117991079:3117991080. Repaired.
TCP: Treason uncloaked! Peer 64.201.33.162:61404/80 shrinks
window
3117991079:3117991080. Repaired.
...

Apparently this can be  a kind of attack, to keep sockets in
use,
hence exhausting kernel memory.

Does SmartDefense and/or other checkpoint Firewalling
components
offer defense and or blocking solutions for this kind of
problem (s) ?

M.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

It could potentially be a DoS attack.  Probably more likely
it's a
buggy TCP stack on the client.

According to this list posting
(http://lists.freestandards.org/pi
permail/printing-user-general/2003/003937.html)
there are some buggy embedded devices that have this
behaviour -
perhaps home routers...

Regards
Mark


On 10/25/06, Mark Elsen wrote:
> My webserver log is filling up with these :
>
> ...
> TCP: Treason uncloaked! Peer 64.201.33.162:61377/80
shrinks window
> 3086856954:3086856955. Repaired.
> TCP: Treason uncloaked! Peer 64.201.33.162:61404/80
shrinks window
> 3117991079:3117991080. Repaired.
> TCP: Treason uncloaked! Peer 64.201.33.162:61404/80
shrinks window
> 3117991079:3117991080. Repaired.
> ...
>
> Apparently this can be  a kind of attack, to keep
sockets in use,
> hence exhausting kernel memory.
>
> Does SmartDefense and/or other checkpoint Firewalling
components
> offer defense and or blocking solutions for this kind
of problem (s) ?
>
> M.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

It could potentially be a DoS attack.  Probably more likely
it's a
buggy TCP stack on the client.

According to this list posting
(http://lists.freestandards.org/pi
permail/printing-user-general/2003/003937.html)
there are some buggy embedded devices that have this
behaviour -
perhaps home routers...

Regards
Mark


On 10/25/06, Mark Elsen wrote:
> My webserver log is filling up with these :
>
> ...
> TCP: Treason uncloaked! Peer 64.201.33.162:61377/80
shrinks window
> 3086856954:3086856955. Repaired.
> TCP: Treason uncloaked! Peer 64.201.33.162:61404/80
shrinks window
> 3117991079:3117991080. Repaired.
> TCP: Treason uncloaked! Peer 64.201.33.162:61404/80
shrinks window
> 3117991079:3117991080. Repaired.
> ...
>
> Apparently this can be  a kind of attack, to keep
sockets in use,
> hence exhausting kernel memory.
>
> Does SmartDefense and/or other checkpoint Firewalling
components
> offer defense and or blocking solutions for this kind
of problem (s) ?
>
> M.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Wed, 25 Oct 2006, Mark Senior wrote:

> According to this list posting
> (http://lists.freestandards.org/pi
permail/printing-user-general/2003/003937.html)
> there are some buggy embedded devices that have this
behaviour -
> perhaps home routers...

Based on the port info there is propably a NAT device
involved:

> > TCP: Treason uncloaked! Peer
64.201.33.162:61377/80 shrinks window
> > 3086856954:3086856955. Repaired.

Source ports in the 60k range usually happen to be NATted
portes.

So I fully agree that it is most likely just a broken client
somewhere in 
Ontario. But I would check the full access log to see what
patterns 
emerges from there.

Hugo.

-- 
	hvdkooijvanderkooij.org	http://hvdkooij.xs4all.nl/

	    This message is using 100% recycled electrons.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================