[18729] in bugtraq
Re: ICMP fragmentation required but DF set problems.
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Mon Jan 22 19:11:16 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <20010121163328.10E.0@bobanek.nowhere.cz>
Date: Sun, 21 Jan 2001 16:40:53 +0100
Reply-To: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
From: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010115071548.B28402@palla>
On Mon, 15 Jan 2001, antirez wrote:
> It's possible to slowdown (a lot) connections between two
> arbirary hosts (but at least one with the PMTU discovery enabled)
> using some spoofed TCP/IP packet. Maybe you can do more
> against some TCP/IP stack.
...
> There isn't a clear solution.
PMTU discovery is used by TCP (primarily if not exclusively). Isn't it
possible to 1. check TCP sequence numbers in ICMP frag. needed messages
generated as a response to a TCP datagram (in the same way they should be
checked on any ICMP dest. unreachable to prevent a trivial DoS),
2. disregard any other ICMP frag. needed message?
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
