> -----Original Message----- > From: Michal Zalewski [mailto:lcamtuf@ghettot.org] > <snip> > 1. Path MTU discovery (DF set) prevents fragmentation [*]; some modern > systems (Linux) default to this mode - although PMTU discovery is > also known to cause problems in certain setups, so it is not always > the best way to stop the attack. > > [*] Also note that certain types of routers or tunnels tend to > ignore DF flag, possibly opening this vector again. <snip> > Note that this has nothing to do with old firewall bypassing techniques > and other tricks that used fragmentation to fool IDSes and so on - > mandatory defragmentation of incoming traffic on perimeter devices will > not solve the problem. I concluded some time back -- coming at it from an entirely different angle from either of these -- that IP-layer fragmentation and reassembly was fatally flawed. All sane implementations should set DF, and all but the most secure of tunnels should honour it. David Gillett
