[Full-disclosure] Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954
In some mail from Dana Hudes, sie said: you will find a range of MTU sizes in radio links of various sorts which is not just 802.11 but also cellular including GPRS CDMA and WCDMA. Now, in many instances there is a proxy between the mobile station and the public network. In fact I wrote a powerpoint presentation summarizing such a paper on transparent TCP proxy in WCDMA and its on my site http://www.networkengineer.biz (I took a course in wireless architecture). This website does nothing more than show ads if you are using mozilla. Please do better than that if you're posting to a public forum. In many instances, the traffic I've seen between base stations and mobile phones has a normal MTU. (I worked on software that handles wireless data.) Darren ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954
you will find a range of MTU sizes in radio links of various sorts which is not just 802.11 but also cellular including GPRS CDMA and WCDMA. Now, in many instances there is a proxy between the mobile station and the public network. In fact I wrote a powerpoint presentation summarizing such a paper on transparent TCP proxy in WCDMA and its on my site http://www.networkengineer.biz (I took a course in wireless architecture). On Thu, 21 Jul 2005, Darren Reed wrote: In some mail from Fernando Gont, sie said: At 07:25 p.m. 20/07/2005, Darren Reed wrote: In some mail from Fernando Gont, sie said: The IPv4 minimum MTU is 68, and not 576. If you blindly send packets larger than 68 with the DF bit set, in the case there's an intermmediate with an MTU lower that 576, the connection will stall. And I think you can safely say that if you see any packets trying to indicate that the MTU of a link is 68 then you should ignore it. Yes. But what about 296? ... I think it is reasonable to say anyone trying to advertise an MTU less than 576 has nefarious purposes in mind. There are still some radio links with MTUs of 296 bytes. Go search with googlepeople still actively use smaller MTUs. What do you do? Where do you draw the line in the sand? Darren ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954
In some mail from Fernando Gont, sie said: At 07:25 p.m. 20/07/2005, Darren Reed wrote: In some mail from Fernando Gont, sie said: The IPv4 minimum MTU is 68, and not 576. If you blindly send packets larger than 68 with the DF bit set, in the case there's an intermmediate with an MTU lower that 576, the connection will stall. And I think you can safely say that if you see any packets trying to indicate that the MTU of a link is 68 then you should ignore it. Yes. But what about 296? ... I think it is reasonable to say anyone trying to advertise an MTU less than 576 has nefarious purposes in mind. There are still some radio links with MTUs of 296 bytes. Go search with googlepeople still actively use smaller MTUs. What do you do? Where do you draw the line in the sand? Darren ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954
There are still some radio links with MTUs of 296 bytes. Go search with googlepeople still actively use smaller MTUs. What do you do? Where do you draw the line in the sand? Well, the minimum requirement for you must be able to reassemble this is 576; so you use PMTU until you go as low as 576 at which point you stop using the DF bit. Casper ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954
At 02:50 a.m. 21/07/2005, Darren Reed wrote: I think it is reasonable to say anyone trying to advertise an MTU less than 576 has nefarious purposes in mind. There are still some radio links with MTUs of 296 bytes. Go search with googlepeople still actively use smaller MTUs. What do you do? Where do you draw the line in the sand? Again and again: Read the draft at http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html It fixes the problem without having to draw any line. -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954
At 02:17 p.m. 21/07/2005, [EMAIL PROTECTED] wrote: There are still some radio links with MTUs of 296 bytes. Go search with googlepeople still actively use smaller MTUs. What do you do? Where do you draw the line in the sand? Well, the minimum requirement for you must be able to reassemble this is 576; so you use PMTU until you go as low as 576 at which point you stop using the DF bit I assume you are not proposing this as the solution to the problem. If you do, I'd just spoof an ICMP fragmentation needed and DF bit set that advertises an MTU lower than 576. And then would attack you with IP fragments. Kindest regards, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: (ICMP attacks against TCP) (was Re: HPSBUX01137 SSRT5954 rev.4
At 07:25 p.m. 20/07/2005, Darren Reed wrote: In some mail from Fernando Gont, sie said: The IPv4 minimum MTU is 68, and not 576. If you blindly send packets larger than 68 with the DF bit set, in the case there's an intermmediate with an MTU lower that 576, the connection will stall. And I think you can safely say that if you see any packets trying to indicate that the MTU of a link is 68 then you should ignore it. Yes. But what about 296? Ignoring quenches as a problem, if you try to send 10K of data to a box that has an MTU of 68, 1200+ packets are required vs less than 10 for an ethernet MTU. The problem is 1200 packets require a lot more system time to send than 6 or 7. A different kind of DoS attack. ? That of more system time required was listed as one of the effects of the PMTUD attack in one of the e-mails I sent today. Not sure what you are saying about ICMP Source Quenches I think it is reasonable to say anyone trying to advertise an MTU less than 576 has nefarious purposes in mind. There are still some radio links with MTUs of 296 bytes. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
