From owner-freebsd-net@FreeBSD.ORG Sat Jan 14 23:17:01 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25D491065670; Sat, 14 Jan 2012 23:17:01 +0000 (UTC) (envelope-from fernando.gont.netbook.win@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id BB6188FC1D; Sat, 14 Jan 2012 23:17:00 +0000 (UTC) Received: by ghbf14 with SMTP id f14so1556195ghb.13 for ; Sat, 14 Jan 2012 15:17:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=nB8MKEc7LG4P1xwOTYvadeQVl2p/Nisgc7JwQukGXPE=; b=NLLErRp5Ver0xjtJq4A4+NXCfjX59swADKLQOOUqpVs7/jzgP75kSNRct7aiqhsGk2 9B91TJoiEXZMa62QkXev6timjao2a8ahS1hVtfJFgcG+9p63bP8Mo8Rj0jR2sSe5UsJP CUZmJ1f2miLxbkfmsSN4xg7wUo3h/vMqdupso= Received: by 10.236.173.133 with SMTP id v5mr9852968yhl.73.1326581369624; Sat, 14 Jan 2012 14:49:29 -0800 (PST) Received: from [192.168.1.37] ([190.50.164.7]) by mx.google.com with ESMTPS id z3sm22173941yhd.3.2012.01.14.14.49.22 (version=SSLv3 cipher=OTHER); Sat, 14 Jan 2012 14:49:28 -0800 (PST) Sender: Fernando Gont Message-ID: <4F108D05.2040201@gont.com.ar> Date: Fri, 13 Jan 2012 16:59:01 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20111108 Thunderbird/3.1.16 MIME-Version: 1.0 To: Nikolay Denev References: <4F0FFDC9.1090503@freebsd.org> <897A1A91-61DB-4783-B38A-C77DBC54DD45@gmail.com> In-Reply-To: <897A1A91-61DB-4783-B38A-C77DBC54DD45@gmail.com> X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Andre Oppermann Subject: Re: ICMP attacks against TCP and PMTUD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2012 23:17:01 -0000 Hello, Nikolay, On 01/13/2012 12:29 PM, Nikolay Denev wrote: > I'm now looking again at the pcap and I'm a bit confused. > First the possible attacker sends the ICMP need-frag packets with "MTU of next hop" set to zero, > which in 2012 shouldn't be very common? Not just uncommon, but actually not possible (*): the minimum IPv4 MTU is 68 bytes, so you should never see an advertised MTU smaller than that. Furthermore, as noted by Andre, the lowest *real* MTUs are >250 bytes. (*) IIRC, an archaic specification of the "frag needed" messages didn't include the "Next-Hop MTU" field, which means that in *theory* (*not* in current practice) those messages could be legitimate. > Then when my server sends 66 byte FIN/ACK packet, > the attacker continues to send need-frag ICMPs and the FreeBSD host sends again > FIN/ACK packets. > Later on he sends again ICMP need-frag packets, but with size of about 1048 bytes, > with very large part of the original packets payload, instead of the required several bytes, > this then triggers excessive retransmits from the FreeBSD host which generates a lot of traffic. > The retransmits are roughly ~300-500 byte packets. Can you post a packet trace (tcpdump's packet decode output), or send me the trace or pcap files to me off-list, so that I can take a look and comment? Thanks! Best regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1