lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200312111423.hBBEN0Kh005667@turing-police.cc.vt.edu>
Date: Thu, 11 Dec 2003 09:23:00 -0500
From: Valdis.Kletnieks@...edu
To: Shachar Shemesh <fulldisc@....consumer.org.il>
Cc: bugtraq@...urityfocus.com, full-disclosure@...sys.com
Subject: Re: A new TCP/IP blind data injection technique?

On Thu, 11 Dec 2003 10:56:01 +0200, Shachar Shemesh said:

> fragment at the place you mention. Most TCP/IP connections employ PMTU 
> discovery, and then split the stream at layer 4, rather then perform 
> Layer 3 assembly.

I wish it were so.

In fact, although many vendors ship with PMTU Discovery enabled, it very often
gets turned off due to the extraordinary number of totally clueless sites that
do one or more of:

1) Disable all ICMP, so the ICMP Frag Needed packets don't make it back, thus
hosing the connection entirely (send too large packet, frag needed, ICMP
dropped, timeout, retransmit, lather, rinse, repeat).

2) Number their point-to-points out of RFC1918 space, so the ICMP Frag Needed
gets swallowed by some border router that's doing reasonable ingress/egress
filtering.

Most sites, if they have enough clue to realize the 576-byte default isn't all
that hot, will simply nail the MSS to 1472 or so and pray for the best.  Yes,
that's not reliable either, but it works better than PTMUD does in the real
world.


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ