Re: DoS attack - advice needed

From: Ilya Martynov (m_ilya@agava.com)
Date: 03/22/01


To: Chris Byrnes <chris@jeah.net>
From: Ilya Martynov <m_ilya@agava.com>
Date: 22 Mar 2001 20:29:43 +0300


>>>>> "CB" == Chris Byrnes <chris@jeah.net> writes:

    CB> And, while we're on the subject, who needs ICMP? I haven't
    CB> found a valid use for it.

ping uses type 0 and 8

traceroute uses 11

type 3 is required for TCP/UDP traffic

Here cite from Linux IPCHAINS-HOWTO that describes why you should not
block type 3 (destination-unreachable):

  A worse problem is the role of ICMP packets in MTU discovery. All
  good TCP implementations (Linux included) use MTU discovery to try
  to figure out what the largest packet that can get to a destination
  without being fragmented (fragmentation slows performance,
  especially when occasional fragments are lost). MTU discovery works
  by sending packets with the "Don't Fragment" bit set, and then
  sending smaller packets if it gets an ICMP packet indicating
  "Fragmentation needed but DF set" (`fragmentation-needed'). This is
  a type of `destination-unreachable' packet, and if it is never
  received, the local host will not reduce MTU, and performance will
  be abysmal or non-existent.

-- 
Ilya Martynov
AGAVA Software Company, http://www.agava.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages