28

We get quite few messages like these in our dmesg log on various servers:

TCP: Peer 0000:0000:0000:0000:0000:ffff:d431:5861:56369/80 unexpectedly shrunk window 2522304441:2522312601 (repaired)
TCP: Peer 192.162.164.1:33760/60908 unexpectedly shrunk window 3159965547:3159965552 (repaired)

I have been told that these are denial of service attack on our infrastructure. If you can keep the TCP connection open indefinitely you can tie up system resources and stop legitimate clients from being able to connect to your servers.

How could I actually identify if these are and actual DOS attacks or some thing a lot less harmful?

Aliaksandr Belik
  • 103
  • 5
nelaaro
  • 635
  • 2
  • 7
  • 11

1 Answers1

32

This normally occurs when a client decides to reduce its TCP window size, without the server expecting it. This can be the case when fragmentation is an issue, or when the client is using an embedded device with very little NIC buffer memory. This is a completely normal behaviour, and you're likely to see quite a few such packets in your log. The messages are informational only, and are used to debug networking issues.

I'd be worried if you saw hundreds of thousands of these packets, since there are attacks that involve packet fragmentation and small window sizes, but otherwise it's just the normal sort of noise you should expect to see on any internet-facing network. In fact, the "repaired" part of your message is showing that your network driver fixed the issue, which is usually done by concatenating the payloads of two fragmented packets together. Shouldn't be an issue at all.

Polynomial
  • 132,208
  • 43
  • 298
  • 379