RE: TCP/IP Stack Hardening

From: Scott Cleven-Mulcahy (
Date: 12/22/03

  • Next message: dave kleiman: "RE: TCP/IP Stack Hardening"
    Date: Mon, 22 Dec 2003 13:44:07 -0600

    When PMTU is disabled, the default MTU is 1500 for local subnet and 576 for
    remote. I usually multi-home external facing systems and configure 1
    interface for internet traffic (unbind to the interface, especially MS
    networking) and the other for backend traffic (but still not on the internal
    network). Depending on environment, I'll change the backend NIC's default
    MTU size to 1500 - this especially helps traffic between a web server and
    database. BTW, 576 bytes is the default MTU for dial-up connections.

    Troubleshooting MTU problems is actually pretty easy. Use ping with the -L
    switch. This specifies the size of the ICMP packet. Start with 1500 and
    keep dropping down until you get a response. It's been a few years since
    I've encountered an MTU problem, though.

    That said, disabling PMTU is probably not the most important network stack
    hardening step you can take. I would rate the SYN flood protection
    mechanisms as much more important.

    I've not found disabling ICMP redirects a problem as long as the routing
    devices have proper routes and the local routing table isn't jacked up. The
    only legitimate use of redirects that I've seen is when a segment has
    multiple, independent routing devices. Since there can only be 1 default
    gateway the system sends the packet to that router, which may not handle
    that network, but it knows a router that does, which is on the same segment.
      I've always handled that situation by entering static routes on the server
    to ensure the correct router is used. Only in vary rare cases have I had to
    enter a static route for a specific host (this has a tendency to complicate
    the routing table).

    Unlike disabling PMTU, I do consider disabling ICMP Redirects an important
    network hardening step, especially for externally accessible systems. For
    one, I've found it rare for a segment to have multiple routers. And two, a
    simple static routing table solves the issue of multiple possible routes.

    I'm a bigger stickler for NoNameReleaseOnDemand and RefuseReset on internal
    networks than external. I've never bound MS networking to external
    interfaces so it's not an issue (it only affects NetBIOS names). One of
    them has an exploit released (I forget which).


    Itís our best dial-up Internet access offer: 6 months @$9.95/month. Get it


  • Next message: dave kleiman: "RE: TCP/IP Stack Hardening"