Block treason uncloaked attack
One often see the following messages in the kernel buffer ring. Some say it's harmless and just ignore it, but in my experience, this is an attack which can cause service outage. The exploit is often ran with spoofed IP, initiating a SYN connection with a 0 window size. Then my machine tries to reply to the bogus request. When the volume is significant, my machine becomes unavailable. sample error messages
TCP: Treason uncloaked! Peer 117.79.83.112:4638/8080 shrinks window 3207520931:3207522811. Repaired.
TCP: Treason uncloaked! Peer 218.14.17.182:4771/8080 shrinks window 2946511037:2946513358. Repaired.
TCP: Treason uncloaked! Peer 218.14.17.182:4771/8080 shrinks window 2946511037:2946513358. Repaired.
TCP: Treason uncloaked! Peer 218.14.17.182:4771/8080 shrinks window 2946511037:2946513358. Repaired.
TCP: Treason uncloaked! Peer 218.14.17.182:4771/8080 shrinks window 2946511037:2946513358. Repaired.
TCP: Treason uncloaked! Peer 218.14.17.182:4771/8080 shrinks window 2946511037:2946513358. Repaired.
TCP: Treason uncloaked! Peer 218.14.17.182:4771/8080 shrinks window 2946511037:2946513358. Repaired.
Script to prevent that using iptables
The logic is simple, look for treason unclocked from dmesg, and add the IP to iptables. block-treason.sh
#!/bin/bash
# Script to be ran by crontab to scan for bad treason IP
# and add to iptables. sqlite is used for storing these
# IP to prevent duplicates
# sqlite backend
# table spec
# create table badips (addedtime datetime, ip varchar(15) constraint u_ip unique);
DB="/somewhere/treason.db"
# obtain list of treason ip from dmesg
for i in `dmesg | grep "Treason uncloaked" | awk '{print $5}' | cut -d: -f1 | sort | uniq`; do
sqlite3 $DB "insert into badips values (datetime('now'), '$i');"
done
# show current list of IPs in sqlite
# sqlite3 $DB "select distinct ip from badips;"
# flush existing TREASON chain and add default rules
iptables -F TREASON
iptables -A TREASON -s 172.0.0.0/8 -j ACCEPT # source IP I do not want to block
# add bad ip to TREASON chain
for i in `sqlite3 $DB "select distinct ip from badips;"`; do
iptables -A TREASON -s $i -j DROP
done
# commit rules to iptables
service iptables save
# Script to be ran by crontab to scan for bad treason IP
# and add to iptables. sqlite is used for storing these
# IP to prevent duplicates
# sqlite backend
# table spec
# create table badips (addedtime datetime, ip varchar(15) constraint u_ip unique);
DB="/somewhere/treason.db"
# obtain list of treason ip from dmesg
for i in `dmesg | grep "Treason uncloaked" | awk '{print $5}' | cut -d: -f1 | sort | uniq`; do
sqlite3 $DB "insert into badips values (datetime('now'), '$i');"
done
# show current list of IPs in sqlite
# sqlite3 $DB "select distinct ip from badips;"
# flush existing TREASON chain and add default rules
iptables -F TREASON
iptables -A TREASON -s 172.0.0.0/8 -j ACCEPT # source IP I do not want to block
# add bad ip to TREASON chain
for i in `sqlite3 $DB "select distinct ip from badips;"`; do
iptables -A TREASON -s $i -j DROP
done
# commit rules to iptables
service iptables save
As you can see from the above, there are a couple of pre-requisites for this script. A sqlite database and an iptables chain called "TREASON". The following will create them:
iptables -N TREASON
iptables -I INPUT 1 -j TREASON
sqlite3 treason.db "create table badips (addedtime datetime, ip varchar(15) constraint u_ip unique);"
iptables -I INPUT 1 -j TREASON
sqlite3 treason.db "create table badips (addedtime datetime, ip varchar(15) constraint u_ip unique);"
There are no comments on this page. [Add comment]