New Denial of Service attack exploits special ICMP flags
15 Jan. 2001
A new attack exploits two flags in ICMP packets and enables attackers to considerably slow down connections between two remote hosts (where at least one has the PMTU discovery enabled). This attack can be done using spoofed TCP/IP packet to hide the real attacker.
The information has been provided by antirez.
Most TCP/IP stacks that support PMTU discovery. Most notably:
The path MTU discovery is used to optimize TCP/IP connection performance. The stack takes a hash table with the MTU of other ends. When an ICMP "fragmentation needed and DF set" reaches the stack, it perform a look-up in the hash table, searching for the old MTU. It then looks at the size of the quoted packet (inside the ICMP packet), and computes the new MTU.
This process opens a possibility for attack; it is possible to cause the host to recalculate the MTU between two hosts even if it is not needed.
Lets take two hosts - A and B that use IP communications. Let say C - The attacker - is able to spoof IP packets in the communication between A and B.
C sends an ICMP echo request containing some data, where the source address is set to A and the destination address is set to B.
B will now create a new entry in the hash table (if there isn't an old one).
C Sends an ICMP "fragmentation needed and DF set", with the source address set to A and the destination address set to B, quoting the ICMP echo-reply response that we can guess (set the right TOS (usually 0x40) if you want to make sure that this works).
B Sets the new MTU in relation to the quoted packet total length.
You may want to send these packets once every second, just to avoid expires. In addition, it may be useful if the MSS TCP option has been set to override the MTU (it shouldn't, but some implementations may do this), otherwise you can send even less spoofed packets.