RE: Small TCP packets == very large overhead == DoS?

[Franck Martin <franck () sopac org>]

Please note that about 5% of the machines out there do not understand an
MTU different than 1500, because some firewalls blocks all ICMP packets
instead of sending back the ICMP packet with the recommended MTU.

I explain further.

You have a client machine A, a router A with MTU 576, another router B,
a firewall B and a web server B with MTU 1500 and MTU discovery.

You request a page to server B, server B send the packet with more than
576 bytes and the don't fragment flag. Router A drop the packet and send
back an ICMP packet back to server B with the MTU required to pass
router A.  Firewall B drops the ICMP packet. Server B does not learn
that his packet nver reached.

The case is true if router A drop the packet and don't send an ICMP. We
have a black hole router.

Do not filter all ICMP packets!

In NT you can enable BlackHole router discovery (cf below)      

Cheers.

On 09 Jul 2001 08:49:37 -0700, David LeBlanc wrote:
> ============================================================
> EnablePMTUDiscovery     REG_DWORD     0 | 1
>
> Default: 1
>
> Determines whether TCP uses a fixed, default maximum transmission unit
(MTU)
> or attempts to detect the actual MTU.
>
> Value Meaning
> 0     TCP uses an MTU of 576 bytes for all connections to computers
outside the
> local subnet.
> 1     TCP attempts to discover the MTU of the path to a remote host.
> By discovering the Path MTU and limiting TCP segments to this size,
TCP can
> eliminate fragmentation at routers along the path that connects
networks
> with different MTUs. Fragmentation reduces TCP throughput and
increases
> network congestion.