If you see those dmesg output message, this mean that someone is attacking your server. Probably by sending fragmented packets.
TCP: Treason uncloaked! Peer 0.0.0.0:00000/80 shrinks window
76154906:76154907. Repaired.
This may be avoid by manually blocking this IP in IPtables or if this is a DDoS attack, automated script may be used. See above (use with caution).
Short script:
#!/bin/bash for ATTACKER_IP in $(dmesg | grep 'Treason uncloaked!' | cut -d' ' -f5 | cut -d':' -f1 | sort --unique) do iptables -A INPUT -s $ATTACKER_IP -j DROP done
Complex script:
---cut---
iptables -F TREASON
iptables -X TREASON
iptables -N TREASON
... (your rest of the rules)
iptables -j TREASON # insert before state established and other lines
---cut---
Then, the below script should be in a cronjob (run once every whatever interval you feel fit).
---cut---
#!/bin/bash
# Stupid shell script to stop stupid TCP Treason attacks
# Setup cronjob to stop them
# First, flush and clean Treason rules
iptables -F TREASON
#iptables -X TREASON
#iptables -N TREASON
for ATTACKER_IP in $(dmesg | grep 'Treason uncloaked!' | cut -d' ' -f5 | cut -d':' -f1 | sort --unique)
do
FOUNDIT=0
for DONTBLOCK in $(route -n | grep -v Destination | grep -v Kernel | awk '{print $2}' | sort | uniq && ifconfig -a | grep inet | cut -f 2 -d ':' | cut -f 1 -d ' ' | sort | uniq)
do
# echo "Checking $DONTBLOCK against $ATTACKER_IP ..."
if [ "$DONTBLOCK" = "$ATTACKER_IP" ]; then
# echo "UHOH! Hacker using forged local IP! Don't block it!"
FOUNDIT=1
fi
done
if [ "$FOUNDIT" = "0" ]; then
# echo "Hacker IP $ATTACKER_IP not found in don't block list... Dropping"
iptables -A TREASON -s $ATTACKER_IP/32 -j DROP
fi
done
iptables -A TREASON -j RETURN
---cut---