RE: TCP/IP Stack Hardening

From: Frank Knobbe (frank_at_knobbe.us)
Date: 12/23/03

  • Next message: dave kleiman: "RE: TCP/IP Stack Hardening" 
    To: dave kleiman <dave@isecureu.com>
Date: Mon, 22 Dec 2003 22:20:41 -0600

    On Mon, 2003-12-22 at 18:31, dave kleiman wrote:
    > That statement is somewhat correct. PMTU discovery only affects
    > packets
    > outside your local subnet, therefore "should" not affect your internal
    > network performance.

    Yes, as you (and others have stated), packets to the local subnet are
    still sent with the MTU of that adapter. Perhaps I'm so use to having
    systems in firewalls segments and other setups that require routing that
    this fact just didn't seem important anymore. For most situations where
    you harden systems, you do it for the purpose of securing the system
    from outside access, meaning that packets are routed.

    > Secondly if you set the PMTU Discovery to 0, and a host route is added
    > to
    > the Windows 2000 routing table via an ICMP redirect from the default
    > gateway, that host route will not be removed.
    >
    > So, by NOT following your recommendation for PMTU Discovery, you
    > inadvertently fix your problem caused by NO ICMP redirect.

    I'm not sure I'm following you here. Without ICMP Redirect enabled,
    Windows will not update its routing table when it receives these ICMP
    packets. With it enabled, it will update the routing table with a route
    to the target for a certain amount of time. Are you saying that by
    setting PMTU discovery to 0, you cause Windows to retain these routes
    permanently? Ouch... that might make for a nice DoS by
    overflowing/saturating the routing table... :)

    Cheers,
    Frank

  • Next message: dave kleiman: "RE: TCP/IP Stack Hardening"

    Relevant Pages

    • RE: TCP/IP Stack Hardening
      ... Yes sir agreed on the segment and routing, that is why I said the thing ... But what happens is if ICMP redirect is disabled, (DO NOT ASK ME WHY BUT ... TEST IT) and PMTU Discovery is on it keeps the redirect in the routing ...
      (Focus-Microsoft)
    • Re: paket loss on freebsd router if (b)snmpd is running##SPAM
      ... it seems that 5.4 has the old routing table code. ... T>> T>44 packets transmitted, 44 packets received, 0% packet loss ... T>> T> packets errs bytes packets errs bytes colls ...
      (freebsd-net)
    • Re: netmasks and subnets
      ... >> applies to your firewall forwarding which, ... it for X,Y,Z reasons), then sending through to an internal interface. ... is not really routing as you know it. ... the packets from one internal interface to another. ...
      (comp.os.linux.networking)
    • policy-based routing and NAT with iptables
      ... I try to setup policy-based routing under linux with iptables and ip ... configured iptables so that packets with some port-numbers are marked. ... Those packets marked should receive the second routing-table. ... hostname:/home/airflow# ip route list table default ...
      (comp.os.linux.networking)
    • Re: Policy-based routing for packets originating from local machine (reinject packets back into
      ... have set up nat and balanced routing for machines ... work with packets originating from the router itself. ... rules don't work as it seems local packets don't have any 'in' interface ... ('tcpdump -ni ngeth0' on other terminal for great justice) ...
      (freebsd-net)
    • Quantcast