In message <20050621180211.GA360@panix.com>,Ed Ravin writes:

>One of my customers with NetBSD 2.0 was recently hit with an interesting
>DoS attack. [...]


>I looked over netinet/ip_icmp.c, and though I don't grok the code fully,
>I have a few suggestions that should be able to blunt this attack:
>
>1) ignore the ICMP unreachable "need to fragment" message if the "MTU size
>wanted" in the message is equal to or larger than the current MTU size for
>this connection.  This will limit the attacker to sending "only" 1431
>messages before reaching the minimum MTU, 68.  Not enough to stop the
>attack, but at least it blunts it.

A nice reponse. But what's the impact on PMTU discovery, specifically
in the case that path-PMTU increases?  Isn't the required PMTU-probe
behaviour in that case exactly the scenario (remote peer sends "DF"
segment with a lenght larger than the current mtu) which you propse to ignore?

Or maybe not, I haven't read that RFC in some time....



[...]

>Any thoughts?  I've opened up kern/30550 on this.