Security Incidents mailing list archives
Re: MISC Large ICMP Packet
From: Valdis.Kletnieks () vt edu
Date: Thu, 26 Jul 2001 12:34:40 -0400
On Thu, 26 Jul 2001 07:12:46 PDT, you said:
Anyway, most of what I saw this morning was pretty run of the mill, but the following seemed kind of odd. Snort trapped it as "MISC Large ICMP Packet", which it was - 1472 bytes of NULL. However, it certainly wasn't a DoS against me, as it only came every several minutes. All the packets were from the same machine (vacuum.cso.uiuc.edu/128.174.5.113), to my mail server.
I've seen AIX 4.3.3 do this for 'Path MTU Discovery'. Basically, it sends a interface-MTU sized ICMP ECHO with the Dont Fragment bit set, and sees if anybody complains that fragging is needed. PMTU Discovery was available all the way back to AIX 4.3.0, but became the default in 4.3.3. Since *so* many routers and firewalls are misconfigured and break this flavor of PMTU Discovery (usually by gratuitously munching ICMP ECHO or ECHO REPLY). If they at least passed back ICMP UNREACH with the FREGNEEDED code, it wouldn't be so bad... I do this on all my AIX 4.3.3 boxen that have standard Ethernet with 1500-byte MTUs: /usr/sbin/no -o udp_pmtu_discover=0 -o tcp_pmtu_discover=0 -o tcp_mssdflt=1396 No, I don't know offhand if vacuum.cso.uiuc.edu is an AIX box. I suspect if it is, somebody there is trying to send you mail.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Attachment:
_bin
Description:
Current thread:
- MISC Large ICMP Packet Chris Hobbs (Jul 26)
- Re: MISC Large ICMP Packet Opus (Jul 26)
- Re: MISC Large ICMP Packet Chris Hobbs (Jul 26)
- Re: MISC Large ICMP Packet Valdis . Kletnieks (Jul 26)
- Re: MISC Large ICMP Packet Opus (Jul 26)