---

---

ICMP Usage in Scanning 23 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com 3.5 Using Packets bigger than the PMTU of internal routers to elicit an ICMP Fragmentation Needed and Don’t Fragment Bit was Set (configuration problem) If internal routers have a PMTU that is smaller than the PMTU for a path going through the border router, those routers would elicit an ICMP “Fragmentation Needed and Don’t Fragment Bit was Set” error message back to the initiating host if receiving a packet too big to process that has the Don’t Fragment Bit set on the IP Header, discovering internal architecture of the router deployment of the attacked network. This is in my opinion a configuration problem causing a security hazard. Figure 6: Using Packets bigger than the PMTU of internal routers to elicit an ICMP Fragmentation Needed and Don’t Fragment Bit was Set DMZ Internal Network The Internet A configuration Error example. If internal Routers are configured with MTU smaller than the MTU the border router has, sending packets with the Don’t Fragment bit set that are small enough to pass the border router but are bigger than the MTU on an internal Router would reveal its existence. Border Router