ICMP attacks against TCP and PMTUD
Fernando Gont
fernando at gont.com.ar
Sat Jan 14 23:17:01 UTC 2012
Hello, Nikolay,
On 01/13/2012 12:29 PM, Nikolay Denev wrote:
> I'm now looking again at the pcap and I'm a bit confused.
> First the possible attacker sends the ICMP need-frag packets with "MTU of next hop" set to zero,
> which in 2012 shouldn't be very common?
Not just uncommon, but actually not possible (*): the minimum IPv4 MTU
is 68 bytes, so you should never see an advertised MTU smaller than
that. Furthermore, as noted by Andre, the lowest *real* MTUs are >250 bytes.
(*) IIRC, an archaic specification of the "frag needed" messages didn't
include the "Next-Hop MTU" field, which means that in *theory* (*not* in
current practice) those messages could be legitimate.
> Then when my server sends 66 byte FIN/ACK packet,
> the attacker continues to send need-frag ICMPs and the FreeBSD host sends again
> FIN/ACK packets.
> Later on he sends again ICMP need-frag packets, but with size of about 1048 bytes,
> with very large part of the original packets payload, instead of the required several bytes,
> this then triggers excessive retransmits from the FreeBSD host which generates a lot of traffic.
> The retransmits are roughly ~300-500 byte packets.
Can you post a packet trace (tcpdump's packet decode output), or send me
the trace or pcap files to me off-list, so that I can take a look and
comment?
Thanks!
Best regards,
--
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
More information about the freebsd-net
mailing list