Why do I get “TCP: Treason uncloaked!” messages in my system logs?
by The editorial team
Symptoms:
This message is getting recorded in the /var/log/messages file:
TCP: Treason uncloaked! Peer 62.49.179.198:25/27430 shrinks window 3672986867:3672989475. Repaired.
Reason:
This is just an informative message. It is not a problem with the system. The message is informing the system administrator that a remote system is not able to communicate correctly with the system in question. It is a problem on the remote system. It indicates that the system in question has received packets with incorrect TCP information. It is caused by a remote host, or intermediate firewall/NAT getting TCP behavior incorrectly. In the usual cases, the only likely impact is a little performance drop on the connection.
contributed by David Robinson
February 1st, 2007 at 4:14 am
Doesn’t explain the reason behind the alarmist “Treason uncloaked!” communiqué.
February 1st, 2007 at 4:24 am
Remember, you are speaking mostly to a technical audience.
The next article down in the section is “TCP/IP Tuning Parameters”.
Exactly what is the issue here? Brevity is always good, but I feel like a kid that has been told “Don’t worry. I’ll take care of the big bad monster.” Your answer might be soothing, but my knowledge base has not expanded one bit.
-5 Points for wasting my time on this one.
February 1st, 2007 at 4:49 am
Ditto Terry Kellum. This needs more detail.
February 1st, 2007 at 5:18 am
It’s a little worse than that. This particular message could be innocuous — caused by some errors or overly optimistic TCP tunings on the remote side — but often is a symptom of an exploit attempt.
February 1st, 2007 at 6:13 pm
Terry hit the nail on the head. As I was reading this I kept thinking who do they think their audience is and why not include some detailed information.
If you know just a little bit about TCP then the error explains more of what is going on than your answer.
Please consider catering to your technical audience as well.
February 2nd, 2007 at 12:21 pm
Some folks think this not benign, but an attack:
http://www.experts-exchange.com/Security/Linux_Security/Q_20598156.html
April 11th, 2007 at 6:07 am
maybe it is related to this kernel bug:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2ad41065d9fe518759b695fc2640cf9c07261dd2
I hope RHEL5 already contain this fix and RHEL4 will soon follow that
May 18th, 2007 at 7:35 pm
And people ask me why we didn’t bought RH support…
October 14th, 2007 at 11:05 am
stop leeching torrents and the error message will be gone
December 17th, 2007 at 11:46 am
regarding Orkcu’s comment:
Has this bug been fixed as of 2.6.16??
March 14th, 2008 at 9:36 am
#uname -a
2.6.18-53.1.6.el5.028stab053.6ent
#dmesg
[...a lot of messages before....]
TCP: Treason uncloaked! Peer 200.47.151.107:40772/80 shrinks window 1049336222:1049336223. Repaired.
The answer is no, is no solved. Its a kind of attack and I see it every day.
March 26th, 2008 at 10:58 am
Its an exploit attempt. Possible SYN flood. Basically it means that the machine is getting hits at alarming rate. It may be concentrated on any specific port like 25 or may be server wide.
RGDS
May 20th, 2008 at 11:48 am
[...] http://www.redhatmagazine.com/2007/01/29/why-do-i-get-tcp-treason-uncloaked-messages-in-my-system-logs/ [...]
February 28th, 2009 at 12:21 am
This note is incorrect. There are 2 known bugs in Linux which cause systems to erroneously issue “Treason uncloaked”:
Fixed in 2.6.25:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5ea3a7480606cef06321cd85bc5113c72d2c7c68
Fixed in 2.6.14:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2ad41065d9fe518759b695fc2640cf9c07261dd2
In both cases it is *not* the remote system causing the problem. There are probably additional bugs which cause this message.