[Snort-users] DF and MF

Jeff Nathan jeff at ...950...
Sat Apr 5 13:57:03 EST 2003

Hash: SHA1


Linux PMTU discovery will set DF on a packet with MF already set.  It's 
anomalous but the Linux folks tend to disagree.  Their current 
implementation disregards, specifically, the fact that certain protocols 
should not be subject to "optimizations " on behalf of PMTU discovery 
(namely NFS).  It is by no means trivial to create a  more intelligent PMTU 
discovery mechanism in Linux, nevertheless it should be done.

Initially it was OpenBSD's packet filter (pf) that was making note of this 
anomalous behavior.  The Linux folks sarcastically mentioned "These wierd 
BSD firewalls are the only systems blocking these packets...".[1]  Applying 
the term blocking loosely, this is clearly not the case as Snort is the 
most widely deployed network intrusion detection technology on the planet 
and any well implemented defragmentation logic will consider this anomalous 
as well.

[1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=58084

- -Jeff

- --On Tuesday, April 01, 2003 00:20:19 -0800 Clayton Mascarenhas 
<masclaythesnort at ...131...> wrote:

> Dear list,
> The DF bit is set when we need to find the PMTU. However my Snort IDS is
> detecting packets to my network that have both the DF as well as the MF
> bit set. When does this scenario happen?? How useful would this be to an
> attacker? Could someone please help me out?
> Thanks
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - File online, calculators, forms, and more

- --
http://cerberus.sourcefire.com/~jeff       (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
Version: GnuPG v1.0.7 (OpenBSD)


More information about the Snort-users mailing list