Re: Idiotic question

[bugtraq () NETWORKICE COM (Robert Graham)]

This is likely part of TCP MTU discovery. Fragmentation is more efficient at
the TCP layer, so the TCP stack attempts to discover the "path MTU" -- the
largest IP packet that can travel end-to-end. TCP machines send out packets
with the DF (Don't Fragment) bit set, then listen for intervening routers
that can't forward the packet.

For example, your TCP connection might send out a 1500 byte packet (max
Ethernet size), but some router in Taiwan has a serial link that has an
maximum packet size of 576 bytes. Because your machine has set the DF bit,
the router cannot fragment it. It will instead send back the ICMP packet
that you saw.

This is perfectly normal.

BTW, this ICMP packet is the only one that is strictly necessary to allow
through firewalls.

Robert Graham

PS: http://www.robertgraham.com/pubs/firewall-seen.html#2.3.4

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Joe User
Sent: Friday, February 25, 2000 7:32 PM
To: INCIDENTS () securityfocus com
Subject: Idiotic question

Howdy!

As I was watching the logs tonight, I wound up with this entry in there:

Feb 25 21:23:35 localhost icmplog[246]: 139.175.17.1: fragmentation needed
(IP_DF set)
Feb 25 21:23:37 localhost icmplog[246]: 139.175.17.1: fragmentation needed
(IP_DF set)

It seems vaguely familiar, but I sure can't recall what it is. It reminds
me of some of the older Jolt attempts, but I can't remember for the life
of me. Any help would be appreciated. Thanks!

Atralakh Information Archives: ftp://atralakh.darktech.org
Atralakh Haven: telnet://atralakh.darktech.org:2300
About Atralakh: gopher://atralakh.darktech.org
My home page: http://home.centurytel.net/kronovohr/
E-mail: kronovohr<at>centurytel<dot>net

        push ax,dx
         xor dx,dx
         pop ax
        push computer,out_window
          db 09 FF F8 F7 2E 0H SH 1T !!