Bugtraq mailing list archives
RE: Small TCP packets == very large overhead == DoS?
From: Russ <Russ.Cooper () rc on ca>
Date: Mon, 9 Jul 2001 12:23:22 -0400
-----BEGIN PGP SIGNED MESSAGE----- According to MSDN, NT 3.5/3.51/4.0 and Windows 2000 implement a minimum MSS of 68 bytes (found under the discussion of PMTU and RFC 791 and 1191), as prescribed by RFC 791. Also, there's the registry key; HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ EnablePMTUDiscovery = 0 (DWORD) EnablePMTUDiscovery: completely enables or disables the PMTU discovery mechanism. When PMTU discovery is disabled, an MTU of 576 bytes is used for all non-local destination addresses. PMTU discovery is enabled by default. This would enforce a minimum MSS of 536. Finally, in the registry key under a specific interface; HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ <interface_name> there's a subkey called MTU. This can be set to any specific value, or can be set to 0xFFFFFFFF to allow for dynamic detection of MTU. If its set to a specific value, it overrides MTU discovery and the key EnablePMTUDiscovery. Ergo, if you're willing to not be able to communicate with clients beyond routers that need to fragment your specified MTU, you can ensure that it could never be negotiated down by a client (and by extrapolation, ensure you never suffer the attack Darren describes.) Remember, however, forcing an MTU of 576 (by disabling EnablePMTUDiscovery) means that normal traffic, traffic with non-malicious clients, would be broken down into the smaller size (576 MTU/536 MSS) and likely cause more degradation in overall performance than a single, small MSS, attack might cause. The EnablePMTUDiscovery key, however, could be used in the event of such an attack (and then reset after the attack as subsided.) All of these adjustments to the TCPIP parameters in both NT and W2K are dynamic, they don't require a reboot and take effect immediately. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBO0naehBh2Kw/l7p5AQHb/QQAwoWWhGbV5qGgzVbX1Sel0TiDfVVCl8Nj PRl6wpcSSkDvTPnZhydoSwIFwn/pBZjDxQ97ONMURKRp45wnbQexJuZqONmbCggo 6X+OVN3fFZKqKksz0XZhyz5hxNAYC3DrDX6qMph+VSFvEEMh09ht8+nubRZ6nZ6M RoOIBsEJwbU= =A5eu -----END PGP SIGNATURE-----
Current thread:
- Small TCP packets == very large overhead == DoS? Darren Reed (Jul 07)
- Re: Small TCP packets == very large overhead == DoS? Darren Reed (Jul 09)
- RE: Small TCP packets == very large overhead == DoS? David LeBlanc (Jul 09)
- Re: Small TCP packets == very large overhead == DoS? Pavel Machek (Jul 15)
- Re: Small TCP packets == very large overhead == DoS? Crist Clark (Jul 19)
- <Possible follow-ups>
- Re: Small TCP packets == very large overhead == DoS? Eric Vyncke (Jul 09)
- RE: Small TCP packets == very large overhead == DoS? Russ (Jul 09)
- Re: Small TCP packets == very large overhead == DoS? Darren Reed (Jul 10)
- RE: Small TCP packets == very large overhead == DoS? David LeBlanc (Jul 10)
- Re: Small TCP packets == very large overhead == DoS? Darren Reed (Jul 10)
- Re: Small TCP packets == very large overhead == DoS? gregory duchemin (Jul 09)
- Re: Small TCP packets == very large overhead == DoS? Darren Reed (Jul 09)
- Re: Small TCP packets == very large overhead == DoS? John Kristoff (Jul 10)
- Re: Small TCP packets == very large overhead == DoS? Brett Lymn (Jul 10)
- RE: Small TCP packets == very large overhead == DoS? Franck Martin (Jul 10)
- Re: Small TCP packets == very large overhead == DoS? Crist Clark (Jul 18)