Peter Sichel Letter (to MacIntouch.com)

Subject: Another angle on Mac Attack story

Date: Tue, 28 Dec 1999 11:50:02 -0500

From: Peter Sichel

Hi Ric,

I read your Mac Attack report this morning and wanted to offer some additional insight.

As you know, Mac OS 9 includes Open Transport 2.5.x which upgraded to version 3.5 of Mentat/TCP. As I understand it, Mentat 3.5 uses a new technique to perform Automatic Path MTU Discovery that is generating the 1500 byte ICMP echo requests.

The idea behind Automatic Path MTU Discovery is to optimize network performance by sending the largest possible IP datagrams that will not require fragmentation and reassembly (which creates extra Internet traffic and processing overhead).

Previously the Mac would set the "Don't Fragment" flag in all outgoing datagrams. If a packet was too large for a network segment in the path to the destination, the corresponding router would respond with an ICMP "Fragmentation needed and DF set" message and discard the packet. When the original sender received the ICMP notification the packet could not be forwarded, it would reduce the packet size by the next standard step. Thuspackets are not fragmented and the sender quickly determines the optimum packet size for each connection. Thistechnique has been an optional protocol standard (RFC) for some time.

One weakness of this technique is that if the ICMP "Fragmentation needed and DF set" messages are not returned tothe client (blocked by a firewall for example), the client will continue to send messages that cannot be forwarded tothe destination. To work around this limitation, a new scheme was developed.

The client no longer sets the Don't Fragment flag in all outgoing packets. Instead it sends a 1500 byte ICMP echo request (ping) with DF set as a probe to determine the path MTU. If the ping is returned in tact, it knows the path MTU is 1500, if the client receives an ICMP "Fragmentation needed and DF set", it can read the required MTU as a parameter of this message or try a smaller probe. If there is no response, it can assume a minimum packet size, or simply allow outgoing datagrams to be fragmented. The message will still get through.

The problem just discovered is that the client can be fooled into sending a 1500 byte probe packet at inappropriate times, and this probe can be used as part of an attack on other hosts. Professor Copeland describes "the other half ofthe defense" as having network administrators and router vendors configure their equipment to discard 1500-byteICMP datagrams. This would obviously compromise the new path MTU discovery technique.

Finally, I need to acknowledge that this information is based on my own observations and may be incomplete or not entirely accurate. I'm willing to risk some embarrassment to hopefully increase the community's understanding of the issues.

Kind Regards,

- Peter Sichel

[Peter runs the Mac networking software company, Sustainable Softworks. -MacInTouch]