Linux : TCP Treason uncloaked

By | November 22, 2010

If you see those dmesg output message, this mean that someone is attacking your server. Probably by sending fragmented packets.

TCP: Treason uncloaked! Peer 0.0.0.0:00000/80 shrinks window
76154906:76154907. Repaired.

This may be avoid by manually blocking this IP in IPtables or if this is a DDoS attack, automated script may be used. See above (use with caution).

Short script:

#!/bin/bash
for ATTACKER_IP in $(dmesg | grep 'Treason uncloaked!' | cut -d' ' -f5 | cut -d':' -f1 | sort --unique)
do
iptables -A INPUT -s $ATTACKER_IP -j DROP
done

Complex script:

---cut---
iptables -F TREASON
iptables -X TREASON
iptables -N TREASON

... (your rest of the rules)

iptables -j TREASON # insert before state established and other lines

---cut---

Then, the below script should be in a cronjob (run once every whatever interval you feel fit).

---cut---
#!/bin/bash

# Stupid shell script to stop stupid TCP Treason attacks
# Setup cronjob to stop them

# First, flush and clean Treason rules
iptables -F TREASON
#iptables -X TREASON
#iptables -N TREASON

for ATTACKER_IP in $(dmesg | grep 'Treason uncloaked!' | cut -d' ' -f5 | cut -d':' -f1 | sort --unique)
do

FOUNDIT=0

for DONTBLOCK in $(route -n | grep -v Destination | grep -v Kernel | awk '{print $2}' | sort | uniq && ifconfig -a | grep inet | cut -f 2 -d ':' | cut -f 1 -d ' ' | sort | uniq)
do
# echo "Checking $DONTBLOCK against $ATTACKER_IP ..."
if [ "$DONTBLOCK" = "$ATTACKER_IP" ]; then
# echo "UHOH! Hacker using forged local IP! Don't block it!"
FOUNDIT=1
fi
done

if [ "$FOUNDIT" = "0" ]; then
# echo "Hacker IP $ATTACKER_IP not found in don't block list... Dropping"
iptables -A TREASON -s $ATTACKER_IP/32 -j DROP
fi
done
iptables -A TREASON -j RETURN

---cut---