Hi Michael, > On Sep 7, 2022, at 5:49 AM, Michael Grant <mgr...@grant.org> wrote: > > I'm seeing this error over and over in /var/log/messages: > > Sep 6 05:02:42 hostname kernel: [408794.655182] TCP: tcp_parse_options: > Illegal window scaling value 15 > 14 received > Sep 6 05:02:43 hostname kernel: [408794.830639] TCP: tcp_parse_options: > Illegal window scaling value 15 > 14 received > Sep 6 05:02:43 hostname kernel: [408794.960811] TCP: tcp_parse_options: > Illegal window scaling value 15 > 14 received > Sep 6 05:02:43 hostname kernel: [408795.180464] TCP: tcp_parse_options: > Illegal window scaling value 15 > 14 received > > I've not been able to find much about these messages by searching, > nothing useful is coming up. Is anyone else seeing something like > this?
This is consistent with RFC 7323, Section 2.3 [1], which states: "If a Window Scale option is received with a shift.cnt value larger than 14, the TCP SHOULD log the error but MUST use 14 instead of the specified value." > Is this some sort of attack? I am not sure. But the purpose of keeping the window scale below 15 is to "insure that new data is never mistakenly considered old and vice versa" [1]. In any case, it seems to me that 1) your kernel appears to be handling it properly (hence the logs) and 2) even if it weren't, it doesn't *seem* like a problem for the server as much as for the entity that wanted the data. Just my $0.02. Interestingly, I happen to have some software using different window scale values in its interactions with Internet servers. I just yesterday discovered a bug which was occasionally allowing 15 to be used as a window scale value, and I have corrected that. I don't know if my software was responsible for the log messages that Michael observed, but I have reached out off-list to investigate. Casey [1] https://www.rfc-editor.org/rfc/rfc7323.html
