Home page logo

bugtraq logo Bugtraq mailing list archives

Re: ICMP fragmentation required but DF set problems.
From: Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>
Date: Sun, 21 Jan 2001 16:40:53 +0100

On Mon, 15 Jan 2001, antirez wrote:

  It's possible to slowdown (a lot) connections between two
  arbirary hosts (but at least one with the PMTU discovery enabled)
  using some spoofed TCP/IP packet. Maybe you can do more
  against some TCP/IP stack.
  There isn't a clear solution.

PMTU discovery is used by TCP (primarily if not exclusively). Isn't it
possible to 1. check TCP sequence numbers in ICMP frag. needed messages
generated as a response to a TCP datagram (in the same way they should be
checked on any ICMP dest. unreachable to prevent a trivial DoS),
2. disregard any other ICMP frag. needed message?

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]