North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: TCP receive window set to 0; DoS or not?

  • From: billn
  • Date: Thu Sep 07 18:04:14 2006

> I've been seeing some systems that stop serving pages, and I also see
> the Linux "Treason Uncloaked!" kernel messages that indicate a remote
> system reduced its rcv win from 1 to 0... is there a non-malicious
> explanation for this, aside from a remote host running out of socket
> buffers?  Seems to happen too often for that to be the case, and
> my googling has shown that it may be outside of spec.  Certainly
> the warning is clear enough...

I've seen this, quite a bit, on some heavy traffic web clusters. Some 
impolite web browsers will shrink the TCP window to kill the socket 
connection instead of a proper fin/reset. 

- billn