(ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954 rev.4 - HP-UX TCP/IP Remote Denial of Service (DoS))

To: Security Alert <secure@xxxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954 rev.4 - HP-UX TCP/IP Remote Denial of Service (DoS))
From: Fernando Gont <fernando@xxxxxxxxxxxxxx>
Date: Tue, 19 Jul 2005 19:09:33 -0300
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
In-reply-to: <20050719113523.30FBA423C@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050719113523.30FBA423C@xxxxxxxxxxxxxxxx>

At 08:35 a.m. 19/07/2005, Security Alert wrote:

 Discussion of ip_pmtu_strategy
 ----------------------------------

The default value for ip_pmtu_strategy is 1.  This allows for PMTU
discovery.  Once the issue of this Security Bulletin has been
resolved via patches the ip_pmtu_strategy value of 1 will again be
the preferred setting for most situations.

The ip_pmtu_strategy values of 0 and 3 set the PMTU to a fixed
size for destinations which are not on the local network.

The  ip_pmtu_strategy value of 0 sets the PMTU to 576 bytes.
Routers are required to handle packets of at least this size.

The ip_pmtu_strategy value of 3 sets the PMTU to 1500 bytes.  This
will generally result in more efficient transmission than the 576
byte PMTU.  If it is known that the routers  involved can handle a
1500 byte MTU the ip_pmtu_strategy value of 3 is preferred.

These assumptions are completely wrong. Please readhttp://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html

The IPv4 minimum MTU is 68, and not 576. If you blindly send packets largerthan 68 with the DF bit set, in the case there's an intermmediate with anMTU lower that 576, the connection will stall.

576 is the minimum reassembly buffer size. That is the minimum packet sizeevery *end-system* should be able to reassemble, and NOT the minimum packetsize that can get to destination without fragmentation.


Kindest regards,

--
Fernando Gont
e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx

Follow-Ups:
- Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954 rev.4
  - From: Darren Reed

References:
- HPSBUX01137 SSRT5954 rev.4 - HP-UX TCP/IP Remote Denial of Service (DoS)
  - From: Security Alert

Prev by Date: [Fwd: phpBB 2.0.17 released]
Next by Date: Trivial BGP attacks (ICMP-based blind throughput-reduction attack)
Previous by thread: HPSBUX01137 SSRT5954 rev.4 - HP-UX TCP/IP Remote Denial of Service (DoS)
Next by thread: Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954 rev.4
Index(es):
- Date
- Thread