[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200312111423.hBBEN0Kh005667@turing-police.cc.vt.edu>
Date: Thu, 11 Dec 2003 09:23:00 -0500
From: Valdis.Kletnieks@...edu
To: Shachar Shemesh <fulldisc@....consumer.org.il>
Cc: bugtraq@...urityfocus.com, full-disclosure@...sys.com
Subject: Re: A new TCP/IP blind data injection technique?
On Thu, 11 Dec 2003 10:56:01 +0200, Shachar Shemesh said:
> fragment at the place you mention. Most TCP/IP connections employ PMTU
> discovery, and then split the stream at layer 4, rather then perform
> Layer 3 assembly.
I wish it were so.
In fact, although many vendors ship with PMTU Discovery enabled, it very often
gets turned off due to the extraordinary number of totally clueless sites that
do one or more of:
1) Disable all ICMP, so the ICMP Frag Needed packets don't make it back, thus
hosing the connection entirely (send too large packet, frag needed, ICMP
dropped, timeout, retransmit, lather, rinse, repeat).
2) Number their point-to-points out of RFC1918 space, so the ICMP Frag Needed
gets swallowed by some border router that's doing reasonable ingress/egress
filtering.
Most sites, if they have enough clue to realize the 576-byte default isn't all
that hot, will simply nail the MSS to 1472 or so and pray for the best. Yes,
that's not reliable either, but it works better than PTMUD does in the real
world.
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists