RE: Small TCP packets == very large overhead == DoS?

From: Russ (Russ.Cooperat_private)
Date: Mon Jul 09 2001 - 09:23:22 PDT

Next message: Todd R. Eigenschink: "Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)"

Previous message: gregory duchemin: "Messenger/Hotmail passwords at risk"
Maybe in reply to: Darren Reed: "Small TCP packets == very large overhead == DoS?"
Next in thread: Darren Reed: "Re: Small TCP packets == very large overhead == DoS?"
Next in thread: gregory duchemin: "Re: Small TCP packets == very large overhead == DoS?"
Reply: Darren Reed: "Re: Small TCP packets == very large overhead == DoS?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

According to MSDN, NT 3.5/3.51/4.0 and Windows 2000 implement a
minimum MSS of 68 bytes (found under the discussion of PMTU and RFC
791 and 1191), as prescribed by RFC 791.

Also, there's the registry key;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
EnablePMTUDiscovery = 0 (DWORD)

EnablePMTUDiscovery: completely enables or disables the PMTU
discovery mechanism. When PMTU discovery is disabled, an MTU of 576
bytes is used for all non-local destination addresses. PMTU discovery
is enabled by default.

This would enforce a minimum MSS of 536.

Finally, in the registry key under a specific interface;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
<interface_name>

there's a subkey called MTU. This can be set to any specific value,
or can be set to 0xFFFFFFFF to allow for dynamic detection of MTU. If
its set to a specific value, it overrides MTU discovery and the key
EnablePMTUDiscovery.

Ergo, if you're willing to not be able to communicate with clients
beyond routers that need to fragment your specified MTU, you can
ensure that it could never be negotiated down by a client (and by
extrapolation, ensure you never suffer the attack Darren describes.)

Remember, however, forcing an MTU of 576 (by disabling
EnablePMTUDiscovery) means that normal traffic, traffic with
non-malicious clients, would be broken down into the smaller size
(576 MTU/536 MSS) and likely cause more degradation in overall
performance than a single, small MSS, attack might cause. The
EnablePMTUDiscovery key, however, could be used in the event of such
an attack (and then reset after the attack as subsided.)

All of these adjustments to the TCPIP parameters in both NT and W2K
are dynamic, they don't require a reboot and take effect immediately.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO0naehBh2Kw/l7p5AQHb/QQAwoWWhGbV5qGgzVbX1Sel0TiDfVVCl8Nj
PRl6wpcSSkDvTPnZhydoSwIFwn/pBZjDxQ97ONMURKRp45wnbQexJuZqONmbCggo
6X+OVN3fFZKqKksz0XZhyz5hxNAYC3DrDX6qMph+VSFvEEMh09ht8+nubRZ6nZ6M
RoOIBsEJwbU=
=A5eu
-----END PGP SIGNATURE-----

Next message: Todd R. Eigenschink: "Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)"
Previous message: gregory duchemin: "Messenger/Hotmail passwords at risk"
Maybe in reply to: Darren Reed: "Small TCP packets == very large overhead == DoS?"
Next in thread: Darren Reed: "Re: Small TCP packets == very large overhead == DoS?"
Next in thread: gregory duchemin: "Re: Small TCP packets == very large overhead == DoS?"
Reply: Darren Reed: "Re: Small TCP packets == very large overhead == DoS?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 15:34:55 PDT