dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1090
share rss forum feed

neftv

join:2000-10-01
Broomall, PA

correlation between the WAN MTU and security for the LAN.

I have this idea from someone I worked with that there is correlation between the WAN MTU and alleviating issues caused by ping of death and DDOS attacks. What this person does when he sets up router he likes to set up the MTU to something less than the common 1500. For example the one case I was with him he set it for 1425. I told him that would lower the ability to utilize full bandwidth but he said this does something that does not make it easy to get slammed with P of D or DDos attacks. Is there any or some truth to this?


kontos
xyzzy

join:2001-10-04
West Henrietta, NY

1 recommendation

Personally, I'd mitigate Ping of Death attacks by upgrading to an OS that has had a security update sometime in the past 15 or so years.

If you're trying to protect yourself from some type of flood attack, I can't think of a way that making your gear use smaller (translation: more) packets is going to help you either.

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
reply to neftv
You are correct—your coworker is an idiot.

HarryH3
Premium
join:2005-02-21
kudos:3
Reviews:
·Suddenlink
reply to neftv
The only thing that reducing the setting does is force the router to create two packets out of one. An incoming packet of 1500 will get turned into a packet of 1425 plus a packet of 75, along with the proper headers for each packet to tell the receiving device how to handle the packets properly. So yeah, all your buddy has done is create more overhead for the network.

neftv

join:2000-10-01
Broomall, PA
I did my own experiment just to try something out. I know this has nothing to do with P of D or DDos attacks but still...
I have two IPTV boxes and one Windows 7 ITX mini computer and I frequently set them to watch streaming live TV feeds at the same time. ( I have an in house cable feed where I put each device on a channel number) With the MTU set at 1500 these feeds frequently stop on me for no apparently reason and not all at the same time (Mostly each at different times). When I have my Shibby firmware enabled RT-N12 router set for say 1420 MTU these feeds just keep working and working. If any of the feeds stop it will be because the streaming server needs to be reset.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to neftv
said by neftv:

...there is correlation between the WAN MTU and alleviating issues caused by ping of death and DDOS attacks...

As you discovered in your testing, monkeying around with MTU is likely to cause more problems than it fixes, period.
Your coworker's choosing the wrong tool for the wrong problem.

Regards

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
Reviews:
·VOIPO
reply to neftv
MTU on cable is 1500—MTU on DSL tends to be less than 1500 so, if you have DSL, this might be why a smaller MTU resolves your issues. That said, PMTU should figure out the best MTU for a connection, but many devices/routers/firewalls break this/are misconfigured and break this.

neftv

join:2000-10-01
Broomall, PA
So to answer you I am on Verizon Fios. I thought Fios was 1500 MTU but I guess not for watching streaming media for the long duration. I know that when I set my MTU to default (1500 greyed out) in the Shibby enabled RT-n12 b1 router I get my live TV streaming interrupted routinely. When I set to manual and something lower than 1500 well I only tried 1425 1420 the streams just keep playing on my 3 devices.

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
Reviews:
·VOIPO
Well, I don’t have Verizon FiOS, but a search quickly turned up »www2.verizon.net/help/fios_setti···more.asp, which says the optimal MTU for Verizon FiOS is 1492.

neftv

join:2000-10-01
Broomall, PA
That makes sense now as that part of the site looks fairly new. Thanks.


tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·Hollis Hosting
·G4 Communications
reply to Bink
said by Bink:

the optimal MTU for Verizon FiOS is 1492.

That means they are using PPPoE encapsulation which adds 8 bytes to each packet reducing the MTU to 1492.

/tom

neftv

join:2000-10-01
Broomall, PA
I have always been on DHCP with Fios. I just can't use 1500 if I want to be able to receive streaming media for any length of time.
1492 seems to be holding good for me.


dslcreature
Premium
join:2010-07-10
Seattle, WA

1 recommendation

reply to neftv
How does he figure? I'm scratching my head trying to understand the underlying premise of how lowering MTU insulates you from such attacks. It would seem to me if the payload MSS is lower you end up sending more fragments to compensate yet still achieving the same overall result.

Fragment offset in IP header is based on byte counts so there is not some fixed length counter you can simply exhaust quicker by lowering MTU.

I'm really curious if this person is able to provide a technical justification for his advice. It could well just be some attack toolkits were hardwired to assume a certain MTU when generating packets.... ping of death is ancient history now anyway.

With respect to lowering MTU to limit DDOS attacks this sounds like a bad idea as it will just increase number of round trips legitimate traffic must make to establish a connection during an attack by forcing unecessary PMTUD hoops.

I think overall the "network security" meme is quite amusing. There are no shortage of goofballs who insist on blocking all ICMP traffic because someone told them it is evil yet when asked can't justify why they are doing what they are doing. They simply don't know nor do they understand the consequences of their actions.

When you link them up with goofballs who intentionally lower their MTUs you end up with a broken network because PMTUD no longer works.

My advice generally when someone tells you to tweak network parameters or block something in the name of security require they provide a specific technical justification and know what the side effects are. If they are unable to provide justification they deserve to be ignored.


cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7
reply to neftv
Recently near Chicago contaminated gasoline was sold requiring in some cases significant, costly repairs. Since my money tree has lost it's leaves for the year already, I wanted to protect my car should I happen to buy some of the contaminated gas. So I disconnected one of the spark plugs.

That's basically what your friend suggested but with network data. As Kontos said, anything in the last decade or a little longer isn't going to have the problem. Or just drop ICMP packets at your router.

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
Reviews:
·VOIPO
said by cdru:

Or just drop ICMP packets at your router.

This has almost zero value and, in some cases, breaks PMTUD.


cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7
said by Bink:

This has almost zero value and, in some cases, breaks PMTUD.

Agreed. But malformed POD packets also cause problems. Lesser of the evils I guess.

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
Reviews:
·VOIPO
said by cdru:

Agreed. But malformed POD packets also cause problems. Lesser of the evils I guess.

As others have mentioned, POD is mostly historical—so this not really relevant today.