Rate this page del.icio.us  Digg slashdot StumbleUpon

Why do I get “TCP: Treason uncloaked!” messages in my system logs?

by

Symptoms:
This message is getting recorded in the /var/log/messages file:

TCP: Treason uncloaked! Peer 62.49.179.198:25/27430 shrinks window
3672986867:3672989475. Repaired.

Reason:

This is just an informative message. It is not a problem with the system. The message is informing the system administrator that a remote system is not able to communicate correctly with the system in question. It is a problem on the remote system. It indicates that the system in question has received packets with incorrect TCP information. It is caused by a remote host, or intermediate firewall/NAT getting TCP behavior incorrectly. In the usual cases, the only likely impact is a little performance drop on the connection.

contributed by David Robinson

Red Hat’s customer service and support teams receive technical support questions from users all over the world. Red Hat technicians add the questions and answers to Red Hat Knowledgebase on a daily basis. Access to Red Hat Knowledgebase is free. Every month, Red Hat Magazine offers a preview into the Red Hat Knowledgebase by highlighting some of the most recent entries.

14 responses to “Why do I get “TCP: Treason uncloaked!” messages in my system logs?”

  1. George Herson says:

    Doesn’t explain the reason behind the alarmist “Treason uncloaked!” communiqué.

  2. Terry Kellum says:

    Remember, you are speaking mostly to a technical audience.
    The next article down in the section is “TCP/IP Tuning Parameters”.
    Exactly what is the issue here? Brevity is always good, but I feel like a kid that has been told “Don’t worry. I’ll take care of the big bad monster.” Your answer might be soothing, but my knowledge base has not expanded one bit.
    -5 Points for wasting my time on this one.

  3. Tim says:

    Ditto Terry Kellum. This needs more detail.

  4. Blu Scrinodeth says:

    It’s a little worse than that. This particular message could be innocuous — caused by some errors or overly optimistic TCP tunings on the remote side — but often is a symptom of an exploit attempt.

  5. Pippin Wallace says:

    Terry hit the nail on the head. As I was reading this I kept thinking who do they think their audience is and why not include some detailed information.
    If you know just a little bit about TCP then the error explains more of what is going on than your answer.
    Please consider catering to your technical audience as well.

  6. Carla says:

    Some folks think this not benign, but an attack:

    http://www.experts-exchange.com/Security/Linux_Security/Q_20598156.html

  7. Orkcu says:

    maybe it is related to this kernel bug:

    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2ad41065d9fe518759b695fc2640cf9c07261dd2

    I hope RHEL5 already contain this fix and RHEL4 will soon follow that

  8. Roberto says:

    And people ask me why we didn’t bought RH support…

  9. Elvis John Zorn says:

    stop leeching torrents and the error message will be gone ;)

  10. Robert Callicotte says:

    regarding Orkcu’s comment:

    Has this bug been fixed as of 2.6.16??
    :)

  11. Ruben says:

    #uname -a

    2.6.18-53.1.6.el5.028stab053.6ent

    #dmesg
    [...a lot of messages before....]
    TCP: Treason uncloaked! Peer 200.47.151.107:40772/80 shrinks window 1049336222:1049336223. Repaired.

    The answer is no, is no solved. Its a kind of attack and I see it every day.

  12. Tushar says:

    Its an exploit attempt. Possible SYN flood. Basically it means that the machine is getting hits at alarming rate. It may be concentrated on any specific port like 25 or may be server wide.

    RGDS

  13. TCP: Treason uncloaked! | Tech. info. news @inertz.org says:

    [...] http://www.redhatmagazine.com/2007/01/29/why-do-i-get-tcp-treason-uncloaked-messages-in-my-system-logs/ [...]

  14. Greg Lindahl says:

    This note is incorrect. There are 2 known bugs in Linux which cause systems to erroneously issue “Treason uncloaked”:

    Fixed in 2.6.25:

    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5ea3a7480606cef06321cd85bc5113c72d2c7c68

    Fixed in 2.6.14:

    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2ad41065d9fe518759b695fc2640cf9c07261dd2

    In both cases it is *not* the remote system causing the problem. There are probably additional bugs which cause this message.