Re: MISC Large ICMP Packet

[Valdis.Kletnieks () vt edu]

On Thu, 26 Jul 2001 07:12:46 PDT, you said:

> Anyway, most of what I saw this morning was pretty run of the mill, but
> the following seemed kind of odd. Snort trapped it as "MISC Large ICMP
> Packet", which it was - 1472 bytes of NULL. However, it certainly wasn't
> a DoS against me, as it only came every several minutes. All the packets
> were from the same machine (vacuum.cso.uiuc.edu/128.174.5.113), to my
> mail server.

I've seen AIX 4.3.3 do this for 'Path MTU Discovery'.  Basically, it sends
a interface-MTU sized ICMP ECHO with the Dont Fragment bit set, and sees if
anybody complains that fragging is needed.  PMTU Discovery was available
all the way back to AIX 4.3.0, but became the default in 4.3.3.

Since *so* many routers and firewalls are misconfigured and break this
flavor of PMTU Discovery (usually by gratuitously munching ICMP ECHO or
ECHO REPLY).  If they at least passed back ICMP UNREACH with the FREGNEEDED
code, it wouldn't be so bad...

I do this on all my AIX 4.3.3 boxen that have standard Ethernet with 1500-byte
MTUs:

/usr/sbin/no -o udp_pmtu_discover=0 -o tcp_pmtu_discover=0  -o tcp_mssdflt=1396

No, I don't know offhand if vacuum.cso.uiuc.edu is an AIX box.  I suspect
if it is, somebody there is trying to send you mail....
-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description: