From owner-freebsd-security  Thu Mar 22  9:31: 3 2001
Delivered-To: freebsd-security@freebsd.org
Received: from unity.agava.ru (unity.agava.ru [213.59.3.227])
	by hub.freebsd.org (Postfix) with ESMTP id 9C16237B71F
	for <freebsd-security@FreeBSD.ORG>; Thu, 22 Mar 2001 09:30:57 -0800 (PST)
	(envelope-from m_ilya@agava.com)
Received: from relay2.agava.net.ru (unknown [193.125.142.2])
	by unity.agava.ru (Postfix) with ESMTP
	id 9A1DC27E999; Thu, 22 Mar 2001 20:30:55 +0300 (MSK)
Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2])
	by relay2.agava.net.ru (Postfix) with ESMTP
	id BB54943822; Thu, 22 Mar 2001 20:30:19 +0300 (MSK)
Received: from juil.domain (juil.domain [192.168.1.50])
	by gw.office.agava.ru (Postfix) with ESMTP
	id 6D8CA5EC9; Thu, 22 Mar 2001 20:30:19 +0300 (MSK)
Received: by juil.domain (Postfix, from userid 1001)
	id 2C0BD314; Thu, 22 Mar 2001 20:29:44 +0300 (MSK)
To: Chris Byrnes <chris@jeah.net>
Cc: ostap <ostap@ukrpost.net>, <freebsd-security@FreeBSD.ORG>
Subject: Re: DoS attack - advice needed
References: <Pine.BSF.4.33.0103221116450.8421-100000@awww.jeah.net>
From: Ilya Martynov <m_ilya@agava.com>
Date: 22 Mar 2001 20:29:43 +0300
In-Reply-To: <Pine.BSF.4.33.0103221116450.8421-100000@awww.jeah.net>
Message-ID: <86wv9hpv94.fsf@juil.domain>
Lines: 29
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>>>>> "CB" == Chris Byrnes <chris@jeah.net> writes:

    CB> And, while we're on the subject, who needs ICMP?  I haven't
    CB> found a valid use for it.

ping uses type 0 and 8

traceroute uses 11

type 3 is required for TCP/UDP traffic

Here cite from Linux IPCHAINS-HOWTO that describes why you should not
block type 3 (destination-unreachable):

  A worse problem is the role of ICMP packets in MTU discovery.  All
  good TCP implementations (Linux included) use MTU discovery to try
  to figure out what the largest packet that can get to a destination
  without being fragmented (fragmentation slows performance,
  especially when occasional fragments are lost).  MTU discovery works
  by sending packets with the "Don't Fragment" bit set, and then
  sending smaller packets if it gets an ICMP packet indicating
  "Fragmentation needed but DF set" (`fragmentation-needed').  This is
  a type of `destination-unreachable' packet, and if it is never
  received, the local host will not reduce MTU, and performance will
  be abysmal or non-existent.

-- 
Ilya Martynov
AGAVA Software Company, http://www.agava.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message