[21444] in bugtraq
RE: Small TCP packets == very large overhead == DoS?
daemon@ATHENA.MIT.EDU (Franck Martin)
Tue Jul 10 11:05:26 2001
From: Franck Martin <franck@sopac.org>
To: bugtraq@securityfocus.com
Content-Type: text/plain
Date: 10 Jul 2001 18:32:45 +1200
Mime-Version: 1.0
Message-Id: <20010710062954.DB14F23490@sopacsun.sopac.org.fj>
Please note that about 5% of the machines out there do not understand an
MTU different than 1500, because some firewalls blocks all ICMP packets
instead of sending back the ICMP packet with the recommended MTU.
I explain further.
You have a client machine A, a router A with MTU 576, another router B,
a firewall B and a web server B with MTU 1500 and MTU discovery.
You request a page to server B, server B send the packet with more than
576 bytes and the don't fragment flag. Router A drop the packet and send
back an ICMP packet back to server B with the MTU required to pass
router A. Firewall B drops the ICMP packet. Server B does not learn
that his packet nver reached.
The case is true if router A drop the packet and don't send an ICMP. We
have a black hole router.
Do not filter all ICMP packets!
In NT you can enable BlackHole router discovery (cf below)
Cheers.
On 09 Jul 2001 08:49:37 -0700, David LeBlanc wrote:
> ============================================================
> EnablePMTUDiscovery REG_DWORD 0 | 1
>
> Default: 1
>
> Determines whether TCP uses a fixed, default maximum transmission unit
(MTU)
> or attempts to detect the actual MTU.
>
> Value Meaning
> 0 TCP uses an MTU of 576 bytes for all connections to computers
outside the
> local subnet.
> 1 TCP attempts to discover the MTU of the path to a remote host.
> By discovering the Path MTU and limiting TCP segments to this size,
TCP can
> eliminate fragmentation at routers along the path that connects
networks
> with different MTUs. Fragmentation reduces TCP throughput and
increases
> network congestion.
