Hi i have been receiving the following on running dmesg on one of my linux servers.Seems to be a sort of DOS attack.I need to reproduce it.But unable to get the tool which can do the same.Can anybody out there help me.

TCP: Treason uncloaked! Peer 195.166.241.58:62516/80 shrinks window 1125437396:1125437397. Repaired.
TCP: Treason uncloaked! Peer 195.166.241.58:62516/80 shrinks window 1125437396:1125437397. Repaired.
TCP: Treason uncloaked! Peer 195.166.241.58:62516/80 shrinks window 1125437396:1125437397. Repaired.
TCP: Treason uncloaked! Peer 210.212.88.48:2339/80 shrinks window 1732317231:1732317232. Repaired.
TCP: Treason uncloaked! Peer 88.202.127.229:51950/80 shrinks window 3906350758:3906350759. Repaired.
TCP: Treason uncloaked! Peer 203.199.30.15:53364/80 shrinks window 3067016690:3067019450. Repaired.

lovewadhwa,

The message indicates that the remote host changed the tcp window size without renegotiating the size with your server. Newer kernels will handle this without any problems. The message gets printed when the client shrinks the tcp window size and the server still has data to transmit.

Is your server a webserver? It could be an attack. A common DoS on web servers is to use up all available connections by not completing the 3-way handshake and having that socket remain in a half open state. A network capture of the traffic will confirm this.

Check your server logs and any other facilities you may have for detecting attacks. (Firewall, IDS, etc) They may show additional details.

More than likely it is a broken client somewhere.

You could probably script hping to replicate this type of attack.

dean