On Thu, 26 Jul 2001 07:12:46 PDT, you said: > Anyway, most of what I saw this morning was pretty run of the mill, but > the following seemed kind of odd. Snort trapped it as "MISC Large ICMP > Packet", which it was - 1472 bytes of NULL. However, it certainly wasn't > a DoS against me, as it only came every several minutes. All the packets > were from the same machine (vacuum.cso.uiuc.edu/128.174.5.113), to my > mail server. I've seen AIX 4.3.3 do this for 'Path MTU Discovery'. Basically, it sends a interface-MTU sized ICMP ECHO with the Dont Fragment bit set, and sees if anybody complains that fragging is needed. PMTU Discovery was available all the way back to AIX 4.3.0, but became the default in 4.3.3. Since *so* many routers and firewalls are misconfigured and break this flavor of PMTU Discovery (usually by gratuitously munching ICMP ECHO or ECHO REPLY). If they at least passed back ICMP UNREACH with the FREGNEEDED code, it wouldn't be so bad... I do this on all my AIX 4.3.3 boxen that have standard Ethernet with 1500-byte MTUs: /usr/sbin/no -o udp_pmtu_discover=0 -o tcp_pmtu_discover=0 -o tcp_mssdflt=1396 No, I don't know offhand if vacuum.cso.uiuc.edu is an AIX box. I suspect if it is, somebody there is trying to send you mail.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 12:08:52 PDT