Re: MISC Large ICMP Packet

From: Valdis.Kletnieksat_private
Date: Thu Jul 26 2001 - 09:34:40 PDT

  • Next message: Blake Frantz: "Re: Is this a traceroute?"

    On Thu, 26 Jul 2001 07:12:46 PDT, you said:
    
    > Anyway, most of what I saw this morning was pretty run of the mill, but
    > the following seemed kind of odd. Snort trapped it as "MISC Large ICMP
    > Packet", which it was - 1472 bytes of NULL. However, it certainly wasn't
    > a DoS against me, as it only came every several minutes. All the packets
    > were from the same machine (vacuum.cso.uiuc.edu/128.174.5.113), to my
    > mail server.
    
    I've seen AIX 4.3.3 do this for 'Path MTU Discovery'.  Basically, it sends
    a interface-MTU sized ICMP ECHO with the Dont Fragment bit set, and sees if
    anybody complains that fragging is needed.  PMTU Discovery was available
    all the way back to AIX 4.3.0, but became the default in 4.3.3.
    
    Since *so* many routers and firewalls are misconfigured and break this
    flavor of PMTU Discovery (usually by gratuitously munching ICMP ECHO or
    ECHO REPLY).  If they at least passed back ICMP UNREACH with the FREGNEEDED
    code, it wouldn't be so bad...
    
    I do this on all my AIX 4.3.3 boxen that have standard Ethernet with 1500-byte
    MTUs:
    
    /usr/sbin/no -o udp_pmtu_discover=0 -o tcp_pmtu_discover=0  -o tcp_mssdflt=1396
    
    No, I don't know offhand if vacuum.cso.uiuc.edu is an AIX box.  I suspect
    if it is, somebody there is trying to send you mail....
    -- 
    				Valdis Kletnieks
    				Operating Systems Analyst
    				Virginia Tech
    
    
    
    



    This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 12:08:52 PDT