netbsd-bugs: kern/30550: denial-of-service attack using ICMP "need to fragment" messages and MTU set to 1500

Subject: kern/30550: denial-of-service attack using ICMP "need to fragment" messages and MTU set to 1500
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <eravin@panix.com>
List: netbsd-bugs
Date: 06/18/2005 15:12:00

>Number:         30550
>Category:       kern
>Synopsis:       denial-of-service attack using ICMP "need to fragment" messages and MTU set to 1500
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jun 18 15:12:00 +0000 2005
>Originator:     Ed Ravin
>Release:        2.0
>Organization:
PANIX Public Access Networks Corp
>Environment:
NetBSD victimwebserver 2.0 NetBSD 2.0 (PANIX-WEB) #1: Thu Jan 20 22:05:35 EST 2005  root@trinity.nyc.access.net:/devel/netbsd/2.0/src/sys/arch/i386/compile/PANIX-WEB i386
>Description:
We were hit by a DoS attack we haven't heard of before, which might be
remediable by updating the way NetBSD handles ICMP "Need to Fragment"
unreachable messages.

The attacker opened up connections to the victim Web server on port 80,
and began fetching the home page.  When the first packet of the
response was sent out (a full 1500 byte packet), the attacker sent this
response:

  20:35:00.988340 IP attacker.example.com > victimwebserver.example.net: icmp 36
: attacker.example.com unreachable - need to frag (mtu 1500)

So the victim's Web server changed the MTU size for that connection from 1500
to 1500, and then tried sending the packet again.  And again.  And again.
With multiple connections open, and by constantly responding to every TCP
packet with another ICMP unreachable as shown above, the attacker was able
to cause the victim to send a large amount of data, wasting our network
bandwidth and filling up mbufs on the victim machine.

Perhaps NetBSD could ignore the "need to fragment" message if the MTU
size asked for matches the existing size?  And/or put some rate limiting
on how many times it will act on the unreachable message?

More data (including partial tcpdump logs) is available upon request.

>How-To-Repeat:

>Fix:
As a workaround, we've blocked all "ICMP unreachable - need to fragment" packets at our border routers.  We're not happy with this, since it means PMTUD is broken everywhere.