{ "id": "networking/tcp-challenge-ack-storm", "signature": "TCP: challenge ACK storm detected on port 443 from 10.0.0.2", "signature_zh": "TCP: 从 10.0.0.2 端口 443 检测到挑战 ACK 风暴", "regex": "TCP: challenge ACK storm detected on port \\d+ from \\d+\\.\\d+\\.\\d+\\.\\d+", "domain": "networking", "category": "protocol_error", "subcategory": null, "root_cause": "A TCP challenge ACK storm occurs when a host receives a flood of out-of-window segments, triggering repeated challenge ACK responses that can overwhelm the sender and degrade network performance.", "root_cause_type": "generic", "root_cause_zh": "TCP 挑战 ACK 风暴发生在主机收到大量窗口外段时,触发重复的挑战 ACK 响应,可能淹没发送方并降低网络性能。", "versions": [ { "version": "Linux kernel 5.15+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Linux kernel 6.1+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Linux kernel 6.8+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "完全禁用 TCP 挑战 ACK(通过 sysctl net.ipv4.tcp_challenge_ack_limit = 0)会禁用合法安全机制,可能导致盲窗口内攻击。", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "", "why_fails": "重启应用程序或服务器无法解决窗口外段的根本原因,如数据包重排序或非对称路由。", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "将挑战 ACK 限制设置过高(例如 net.ipv4.tcp_challenge_ack_limit = 1000000)可能掩盖症状,但无法修复根本原因,并可能延迟网络问题的检测。", "fail_rate": 0.7, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Temporarily increase the challenge ACK limit to reduce storm impact: sysctl -w net.ipv4.tcp_challenge_ack_limit=1000", "success_rate": 0.8, "how": "Temporarily increase the challenge ACK limit to reduce storm impact: sysctl -w net.ipv4.tcp_challenge_ack_limit=1000", "condition": "", "sources": [] }, { "action": "Identify and fix the source of out-of-window segments by checking for asymmetric routing or packet reordering using tcpdump: tcpdump -i eth0 'tcp and port 443' -w capture.pcap, then analyze with Wireshark.", "success_rate": 0.85, "how": "Identify and fix the source of out-of-window segments by checking for asymmetric routing or packet reordering using tcpdump: tcpdump -i eth0 'tcp and port 443' -w capture.pcap, then analyze with Wireshark.", "condition": "", "sources": [] }, { "action": "Apply a rate limit on challenge ACKs using iptables to mitigate the storm: iptables -A INPUT -p tcp --dport 443 -m limit --limit 100/s -j ACCEPT", "success_rate": 0.75, "how": "Apply a rate limit on challenge ACKs using iptables to mitigate the storm: iptables -A INPUT -p tcp --dport 443 -m limit --limit 100/s -j ACCEPT", "condition": "", "sources": [] } ], "workarounds_zh": [ "Temporarily increase the challenge ACK limit to reduce storm impact: sysctl -w net.ipv4.tcp_challenge_ack_limit=1000", "Identify and fix the source of out-of-window segments by checking for asymmetric routing or packet reordering using tcpdump: tcpdump -i eth0 'tcp and port 443' -w capture.pcap, then analyze with Wireshark.", "Apply a rate limit on challenge ACKs using iptables to mitigate the storm: iptables -A INPUT -p tcp --dport 443 -m limit --limit 100/s -j ACCEPT" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://www.kernel.org/doc/html/latest/networking/tcp-challenge-ack.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.8, "resolvable": "partial", "first_seen": "2024-03-15", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }