Re: echo requests, 1480 bytes

[marcs () ZNEP COM (Marc Slemko)]

On Thu, 10 Feb 2000, James Lohman wrote:

> Don,
>
> You are using norva as your nameserver. I started using them, and thats
> what I get.
>
> Feb 10 16:38:54 wintermute.linuxpron.com icmplogd: ping from
> ns-norva.navy.mil [205.56.138.34]
> Feb 10 16:38:55 wintermute.linuxpron.com icmplogd: source quench from
> ns-norva.navy.mil [205.56.138.34]
>
> Change nameservers if it annoys you. =)

Perhaps I can clarify.

I believe that what is happening is that the remote system in question is
running HPUX.  Recent versions of HPUX have an option to use ICMP echo
packets with the DF bit set to help out its Path MTU detection algorithm.
So the first time you open a TCP connection to the host (or if its PMTU
cache has timed out) HPUX sends an ICMP echo request packet, sized
according to the smaller of the MSS announced by the remote system and the
local MTU.  If it gets through and a response gets back, it knows the path
that packet went through can handle packets of size x.  If not, it tries
smaller sizes until it figures out one that works.

A description of PMTU-D is available at:

        http://www.worldgate.com/~marcs/mtu/

Although it doesn't talk about this HPUX oddity.  I'm not sure I buy into
the way HPUX does things, and it has obvious issues in a lot of cases.

So to summarize: some versions of HPUX under some configurations will just
do that.

Sounds like it could be a good way to perform a DoS attack against the
remote host by flooding their outgoing bandwidth.  Just forge one SYN
packet from each of a large number of hosts, and it will send a packet as
big as its local MTU to each of them.  This could also be used to attack a
remote network, if it has a big enough range of addresses since you can
only do it once per IP until the cache expires.  HPUX may or may not have
some form of built in protection against this.