[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] A new TCP/IP blind data injection technique?

To: full-disclosure@netsys.com
Subject: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
From: Mikael Abrahamsson <swmike@swm.pp.se>
Date: Thu, 11 Dec 2003 21:42:27 +0100 (CET)

On Thu, 11 Dec 2003 Valdis.Kletnieks@vt.edu wrote:

> 1) Disable all ICMP, so the ICMP Frag Needed packets don't make it back, thus
> hosing the connection entirely (send too large packet, frag needed, ICMP
> dropped, timeout, retransmit, lather, rinse, repeat).
> 
> 2) Number their point-to-points out of RFC1918 space, so the ICMP Frag Needed
> gets swallowed by some border router that's doing reasonable ingress/egress
> filtering.

Well, actually as far as I have seen the bad thing when pmtud doesnt work 
is often your server farm load sharer that wont forward the icmp message 
to the appropriate server in the farm. 

So a lot of the technology used out there doesnt even by design take ICMP 
NEED TO FRAG-messages into account when they do things. It's not just 
clueless admins, it's clueless designers of equipment.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
  - From: Valdis.Kletnieks@vt.edu

Prev by Date: [Full-Disclosure] Security....hmmmmm
Next by Date: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
Previous by thread: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Next by thread: [Full-Disclosure] RE: A new TCP/IP blind data injection technique?
Index(es):
- Date
- Thread