Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Broken PMTUD in FreeBSD?
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Tue, 11 Jun 2002 16:34:20 +0200

Phil Dibowitz wrote:

[FreeBSD doesn't set DF in SYN/ACK]

I don't consider this a big security hole, but it is a bug. It could 
be used to do TCP fingerprinting, and it also breaks a standard 

Is this really a bug? I wouldn't be so sure. What is the purpose of
setting DF in a SYN/ACK segment ? It's not like it can react to 
returned ICMP errors and decrease the size of segment (only 40 bytes
of IP and TCP header and a few options).

I'd even argue that it's a feature. If something has an MTU that
is so small that it can't pass TCP segments without data, there's
nothing to be done about it, and you should let fragmentation occur.

The fingerprinting point is sort of valid, I guess. However, since 
there are already BSD boxes out there doing this, the fingerprint 
value would be even greater (the fingerprint match more narrow) if 
one were to change it now.

Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]