Date: Fri, 13 Jan 2012 16:59:01 -0300 From: Fernando Gont <fernando@gont.com.ar> To: Nikolay Denev <ndenev@gmail.com> Cc: freebsd-net@freebsd.org, Andre Oppermann <andre@freebsd.org> Subject: Re: ICMP attacks against TCP and PMTUD Message-ID: <4F108D05.2040201@gont.com.ar> In-Reply-To: <897A1A91-61DB-4783-B38A-C77DBC54DD45@gmail.com> References: <EE6495BD-38D0-4EBE-9A94-7C40DC69F820@gmail.com> <4F0FFDC9.1090503@freebsd.org> <897A1A91-61DB-4783-B38A-C77DBC54DD45@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Nikolay, On 01/13/2012 12:29 PM, Nikolay Denev wrote: > I'm now looking again at the pcap and I'm a bit confused. > First the possible attacker sends the ICMP need-frag packets with "MTU of next hop" set to zero, > which in 2012 shouldn't be very common? Not just uncommon, but actually not possible (*): the minimum IPv4 MTU is 68 bytes, so you should never see an advertised MTU smaller than that. Furthermore, as noted by Andre, the lowest *real* MTUs are >250 bytes. (*) IIRC, an archaic specification of the "frag needed" messages didn't include the "Next-Hop MTU" field, which means that in *theory* (*not* in current practice) those messages could be legitimate. > Then when my server sends 66 byte FIN/ACK packet, > the attacker continues to send need-frag ICMPs and the FreeBSD host sends again > FIN/ACK packets. > Later on he sends again ICMP need-frag packets, but with size of about 1048 bytes, > with very large part of the original packets payload, instead of the required several bytes, > this then triggers excessive retransmits from the FreeBSD host which generates a lot of traffic. > The retransmits are roughly ~300-500 byte packets. Can you post a packet trace (tcpdump's packet decode output), or send me the trace or pcap files to me off-list, so that I can take a look and comment? Thanks! Best regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F108D05.2040201>