RE: TCP/IP Stack Hardening

From: Scott Cleven-Mulcahy (
Date: 12/22/03

  • Next message: dave kleiman: "RE: TCP/IP Stack Hardening"
    Date: Mon, 22 Dec 2003 13:44:07 -0600

    When PMTU is disabled, the default MTU is 1500 for local subnet and 576 for
    remote. I usually multi-home external facing systems and configure 1
    interface for internet traffic (unbind to the interface, especially MS
    networking) and the other for backend traffic (but still not on the internal
    network). Depending on environment, I'll change the backend NIC's default
    MTU size to 1500 - this especially helps traffic between a web server and
    database. BTW, 576 bytes is the default MTU for dial-up connections.

    Troubleshooting MTU problems is actually pretty easy. Use ping with the -L
    switch. This specifies the size of the ICMP packet. Start with 1500 and
    keep dropping down until you get a response. It's been a few years since
    I've encountered an MTU problem, though.

    That said, disabling PMTU is probably not the most important network stack
    hardening step you can take. I would rate the SYN flood protection
    mechanisms as much more important.

    I've not found disabling ICMP redirects a problem as long as the routing
    devices have proper routes and the local routing table isn't jacked up. The
    only legitimate use of redirects that I've seen is when a segment has
    multiple, independent routing devices. Since there can only be 1 default
    gateway the system sends the packet to that router, which may not handle
    that network, but it knows a router that does, which is on the same segment.
      I've always handled that situation by entering static routes on the server
    to ensure the correct router is used. Only in vary rare cases have I had to
    enter a static route for a specific host (this has a tendency to complicate
    the routing table).

    Unlike disabling PMTU, I do consider disabling ICMP Redirects an important
    network hardening step, especially for externally accessible systems. For
    one, I've found it rare for a segment to have multiple routers. And two, a
    simple static routing table solves the issue of multiple possible routes.

    I'm a bigger stickler for NoNameReleaseOnDemand and RefuseReset on internal
    networks than external. I've never bound MS networking to external
    interfaces so it's not an issue (it only affects NetBIOS names). One of
    them has an exploit released (I forget which).


    Itís our best dial-up Internet access offer: 6 months @$9.95/month. Get it


  • Next message: dave kleiman: "RE: TCP/IP Stack Hardening"

    Relevant Pages

    • Re: Running the network stack without Giant -- change in default coming
      ... > to allow the network stack to run in parallel on multiple processors ... > currently unsafe without the Giant lock turned on. ... > configuration for testing out the impact of disabling Giant on MP ...
    • RE: Strange Irregular DNS/Networking Problems
      ... Disable offloading in the network adapter properties ... After disabling all these things file transfers across the network are a lot ... My network is not a complicated set up and only has one domain controller. ... I tried doing a net stop server after the network stalled as from an article ...
    • Re: Slow Network Speed from 2008 Server
      ... Network Adaptor properties which are a bit scary. ... I'm running AD on it as well as SQL Server 2005. ... that the DHCP didn't work. ...
    • Re: 2-hour hibernate failure
      ... Success Audit 4/14/2010 11:34:34 PM Security System Event 513 SYSTEM COMPAQ-2006 ... Success Audit 4/14/2010 9:11:04 PM Security Privilege Use 576 NETWORK SERVICE COMPAQ-2006 ... Information 4/14/2010 11:34:33 PM Service Control Manager None 7036 N/A COMPAQ-2006 ... Try disabling the network adapter and see what happens, to disable the adapter go in "Network Connections" and right click on the connection. ...
    • Re: SMB packet and secure channel signing
      ... You know, in all the times that you and I have the debate on SMB Signing, ... > Optionally you can do "if client agrees" and thus the signing will be ... > Just don't screw up in the process of disabling these suckers. ... SMB Signing puts a tag on each and every network packet ...