-----BEGIN PGP SIGNED MESSAGE----- According to MSDN, NT 3.5/3.51/4.0 and Windows 2000 implement a minimum MSS of 68 bytes (found under the discussion of PMTU and RFC 791 and 1191), as prescribed by RFC 791. Also, there's the registry key; HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ EnablePMTUDiscovery = 0 (DWORD) EnablePMTUDiscovery: completely enables or disables the PMTU discovery mechanism. When PMTU discovery is disabled, an MTU of 576 bytes is used for all non-local destination addresses. PMTU discovery is enabled by default. This would enforce a minimum MSS of 536. Finally, in the registry key under a specific interface; HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ <interface_name> there's a subkey called MTU. This can be set to any specific value, or can be set to 0xFFFFFFFF to allow for dynamic detection of MTU. If its set to a specific value, it overrides MTU discovery and the key EnablePMTUDiscovery. Ergo, if you're willing to not be able to communicate with clients beyond routers that need to fragment your specified MTU, you can ensure that it could never be negotiated down by a client (and by extrapolation, ensure you never suffer the attack Darren describes.) Remember, however, forcing an MTU of 576 (by disabling EnablePMTUDiscovery) means that normal traffic, traffic with non-malicious clients, would be broken down into the smaller size (576 MTU/536 MSS) and likely cause more degradation in overall performance than a single, small MSS, attack might cause. The EnablePMTUDiscovery key, however, could be used in the event of such an attack (and then reset after the attack as subsided.) All of these adjustments to the TCPIP parameters in both NT and W2K are dynamic, they don't require a reboot and take effect immediately. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBO0naehBh2Kw/l7p5AQHb/QQAwoWWhGbV5qGgzVbX1Sel0TiDfVVCl8Nj PRl6wpcSSkDvTPnZhydoSwIFwn/pBZjDxQ97ONMURKRp45wnbQexJuZqONmbCggo 6X+OVN3fFZKqKksz0XZhyz5hxNAYC3DrDX6qMph+VSFvEEMh09ht8+nubRZ6nZ6M RoOIBsEJwbU= =A5eu -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 15:34:55 PDT