ICMP_Scanning_23
ICMP Usage in Scanning
23
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
3.5 Using Packets bigger than the PMTU of internal routers to elicit an ICMP
Fragmentation Needed and Dont Fragment Bit was Set (configuration problem)
If internal routers have a PMTU that is smaller than the PMTU for a path going through the border
router, those routers would elicit an ICMP Fragmentation Needed and Dont Fragment Bit was
Set error message back to the initiating host if receiving a packet too big to process that has the
Dont Fragment Bit set on the IP Header, discovering internal architecture of the router
deployment of the attacked network.
This is in my opinion a configuration problem causing a security hazard.
Figure 6: Using Packets bigger than the PMTU of internal routers to elicit an ICMP Fragmentation Needed
and Dont Fragment Bit was Set
DMZ
Internal Network
The Internet
A configuration Error example. If internal Routers are
configured with MTU smaller than the MTU the border
router has, sending packets with the Dont Fragment bit
set that are small enough to pass the border router but
are bigger than the MTU on an internal Router would
reveal its existence.
Border Router