Security Incidents mailing list archives
Re: echo requests, 1480 bytes
From: marcs () ZNEP COM (Marc Slemko)
Date: Tue, 15 Feb 2000 21:32:03 -0700
On Thu, 10 Feb 2000, James Lohman wrote:
Don, You are using norva as your nameserver. I started using them, and thats what I get. Feb 10 16:38:54 wintermute.linuxpron.com icmplogd: ping from ns-norva.navy.mil [205.56.138.34] Feb 10 16:38:55 wintermute.linuxpron.com icmplogd: source quench from ns-norva.navy.mil [205.56.138.34] Change nameservers if it annoys you. =)
Perhaps I can clarify. I believe that what is happening is that the remote system in question is running HPUX. Recent versions of HPUX have an option to use ICMP echo packets with the DF bit set to help out its Path MTU detection algorithm. So the first time you open a TCP connection to the host (or if its PMTU cache has timed out) HPUX sends an ICMP echo request packet, sized according to the smaller of the MSS announced by the remote system and the local MTU. If it gets through and a response gets back, it knows the path that packet went through can handle packets of size x. If not, it tries smaller sizes until it figures out one that works. A description of PMTU-D is available at: http://www.worldgate.com/~marcs/mtu/ Although it doesn't talk about this HPUX oddity. I'm not sure I buy into the way HPUX does things, and it has obvious issues in a lot of cases. So to summarize: some versions of HPUX under some configurations will just do that. Sounds like it could be a good way to perform a DoS attack against the remote host by flooding their outgoing bandwidth. Just forge one SYN packet from each of a large number of hosts, and it will send a packet as big as its local MTU to each of them. This could also be used to attack a remote network, if it has a big enough range of addresses since you can only do it once per IP until the cache expires. HPUX may or may not have some form of built in protection against this.
Current thread:
- Re: echo requests, 1480 bytes Donald McLachlan (Feb 09)
- Ports 41508, 41524 & 41531 Aronius, Joakim (Feb 09)
- Re: Ports 41508, 41524 & 41531 Rick Ballard (Feb 10)
- Re: echo requests, 1480 bytes Brett Glass (Feb 09)
- Re: echo requests, 1480 bytes James Lohman (Feb 10)
- Re: echo requests, 1480 bytes Marc Slemko (Feb 15)
- Re: echo requests, 1480 bytes James Lohman (Feb 10)
- twinkie Vasiliy Kuznetsov (Feb 15)
- Re: twinkie Przemyslaw Frasunek (Feb 16)
- Re: twinkie Pavel Kankovsky (Feb 17)
- Re: echo requests, 1480 bytes Przemyslaw Frasunek (Feb 15)
- <Possible follow-ups>
- Re: echo requests, 1480 bytes Ron Gula (Feb 11)
- Re: echo requests, 1480 bytes Omachonu Ogali (Feb 15)
- Re: echo requests, 1480 bytes Donald McLachlan (Feb 16)
- Re: echo requests, 1480 bytes Mixmaster (Feb 19)
- Re: echo requests, 1480 bytes Fengor Wolfsclaw (Feb 22)
- Ports 41508, 41524 & 41531 Aronius, Joakim (Feb 09)