North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Minimum Internet MTU

  • From: Chris Brenton
  • Date: Mon Dec 22 10:21:38 2003

On Mon, 2003-12-22 at 09:36, Robert E. Seastrom wrote:
> You mean like everyone who's still running TCP/IP over AX.25 in the
> ham radio community? 

I actually thought of this, but only as an end-point which would not
generate fragmented packets. I didn't consider that people could be
using Linux or what ever to hide an Ethernet network behind the link,
which of course would fragment the stream.

Looks like I need to drop my threshold to < 500. This is exactly what I
needed, thanks!

> What are you trying to accomplish by killing off the fragments?

My experience has been that attackers still like to use fragmentation as
a method of covering their tracks. No they do not do it all the time,
but I've noticed that a lot of the time when I've been able to catch
0-day stuff its fragmented in order to help stealth it.

So what I'm looking for is a definable limit to be able to say "a
non-last fragment below this size is very likely to be hostile and
should be handled accordingly". Running with less than 500 bytes is
still cool, as the stuff I've found is always less than 100 bytes. I'm
just looking to add as much "slop" as possible to catch what I have not
thought of without triggering false positives.

So unless someone knows of a case below 500 bytes, I think I'm all set.
Thanks for the great feedback.