Re: [Full-Disclosure] A new TCP/IP blind data injection technique?

Valdis.Kletnieks_at_vt.edu
Date: 12/11/03

  • Next message: petard: "Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability" 
    To: Shachar Shemesh <fulldisc@sun.consumer.org.il>
Date: Thu, 11 Dec 2003 09:23:00 -0500

    On Thu, 11 Dec 2003 10:56:01 +0200, Shachar Shemesh said:

    > fragment at the place you mention. Most TCP/IP connections employ PMTU
    > discovery, and then split the stream at layer 4, rather then perform
    > Layer 3 assembly.

    I wish it were so.

    In fact, although many vendors ship with PMTU Discovery enabled, it very often
    gets turned off due to the extraordinary number of totally clueless sites that
    do one or more of:

    1) Disable all ICMP, so the ICMP Frag Needed packets don't make it back, thus
    hosing the connection entirely (send too large packet, frag needed, ICMP
    dropped, timeout, retransmit, lather, rinse, repeat).

    2) Number their point-to-points out of RFC1918 space, so the ICMP Frag Needed
    gets swallowed by some border router that's doing reasonable ingress/egress
    filtering.

    Most sites, if they have enough clue to realize the 576-byte default isn't all
    that hot, will simply nail the MSS to 1472 or so and pray for the best. Yes,
    that's not reliable either, but it works better than PTMUD does in the real
    world.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: petard: "Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability"

    Relevant Pages
    Loading