Hello, Nikolay, On 01/13/2012 12:29 PM, Nikolay Denev wrote: > I'm now looking again at the pcap and I'm a bit confused. > First the possible attacker sends the ICMP need-frag packets with "MTU of > next hop" set to zero, > which in 2012 shouldn't be very common?
Not just uncommon, but actually not possible (*): the minimum IPv4 MTU is 68 bytes, so you should never see an advertised MTU smaller than that. Furthermore, as noted by Andre, the lowest *real* MTUs are >250 bytes. (*) IIRC, an archaic specification of the "frag needed" messages didn't include the "Next-Hop MTU" field, which means that in *theory* (*not* in current practice) those messages could be legitimate. > Then when my server sends 66 byte FIN/ACK packet, > the attacker continues to send need-frag ICMPs and the FreeBSD host sends > again > FIN/ACK packets. > Later on he sends again ICMP need-frag packets, but with size of about 1048 > bytes, > with very large part of the original packets payload, instead of the required > several bytes, > this then triggers excessive retransmits from the FreeBSD host which > generates a lot of traffic. > The retransmits are roughly ~300-500 byte packets. Can you post a packet trace (tcpdump's packet decode output), or send me the trace or pcap files to me off-list, so that I can take a look and comment? Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
