Slashdot Mirror
MSS Initiative Makes Progress
Phil writes "The MSS Initiative was started by Richard van den Berg and myself to combat sites that are broken (enable Path MTU Discovery AND block ICMP 3,4) which include such big sites as SecurityFocus and CERT (causing those behind PPPoE and other less-than-1500-MTU-protocols to be unable to view the sites). This past week we were priveleged enough to be able to present a paper at the 16th LISA Systems Administration Conference! Check out the paper and slides and be sure, like many members of the audience, to fix the sites you administer!"
For some reason I can't read the .pdf file. Got the latest M$ XP Pro, and Adobe...
Both sites work with me. I have an MTU of 1492 and PPPoE.
But if he says so, then I won't access them, due to the 'problem'...
But my Mom says I'm cool! -Milhouse
Over-zelous MSS activists are breaking the PDF!
MTU: Maximum Transfer Unit.
This is the maximum number of bytes that your computer will send out in a packet. This should be set according to what your connection can handle. For ethernet this should be set to 1500. For PPPoE links this should be set to 1492.
MSS: Maximum Segment Size.
This is used in negotiating what the MTU of a connection between two hosts will be. Essentially this is saying "please don't send me packets bigger than X." This should typically be set to 40 less than your MTU to allow room for headers.
In Fourteen hundred and ninety two, the sites were fine, that's my MTU!
(It rhymes, so, it's clever. Really.)
And here I was thinking that securityfocus and CERT had been rooted by script kiddies!
If I have been able to see further than others, it is because I bought a pair of binoculars.
I think the arrogant jerks that violate the rules of internet RFCs should be outed or blacklisted.
They do it becasue they hire idiot "security experts" or are angry that all OSees in history are easily exploitable remotely based on BugTraq immense database of exploits, except erhaps Mac OS 8.x and 9.x which have never been exploitable running webservers. (Mac OS X is FreeBSD based and has already had over 30 security issues remotely, though 9.22 is immune).
PPPoe is here and now and growing EVERY DAY, as people lose the ability and right ot have static IP or long DHCP leases.
And I think its an idiotic protocol myself, but at least it keeps people on their toes.
HURRAY for standards. (http://www.faqs.org/ftp/rfc/rfc2516.txt )
Boo to arrogant linux-bsd-oriented self appointed security experts.
...see the redundancy of creating a blacklist for networks you can't reach to begin with?
Actually, according to conventional wisdom, the majority of network admins and the world in general, (oh, and TCP/IP Illustrated 2nd Edition):
MTU: Maximum Transmission Unit.
I have no idea where the MSS people got "transfer" from.
Janie took my gun...
The PDF of the paper refuses to render with any Ghostscript derived viewer.
It sure would be nice if those who wish to cast stones would make sure their own position is clean.
That said, I've had to ding webmasters about having their routers set up to block packets with explicit congestion notify set - that is now an accepted part of TCP/IP, and failing to accept packets with ECN set is a violation of the standard.
www.eFax.com are spammers
This problem is way to technical to explain to most sysadmins. Expecting them to fix it after a kind notification seems naive at best. Instead focus on firewall product manufacturers. In many cases sysadmins just use some sort of generated rules from some firewall product or duplicate sections of howto's. if you make sure the generated stuff is ok and the howto's & manuals don't misinform the sysadmins, there's a lot to gain.
Jilles
MTU has turned into the bane of my existence, between atm header problems, VPN's which can't have their packets fragmented without blowing up their crc's, and voice and video apps over low speed links adjusting the MTU down isn't an option anymore, many times it is required. Maybe a site here or there won't display, but usually its downloads that die, like a norton update for example. If I reset the mtu back to 1500 then the vpn's drop and voice develops jitter or drops (using a vovpn as an example)but everyone can download their updates (and of course more importantly their mp3's.) My point is that allowing your ftp server to service a packet at 750 won't kill you or your server. How much overhead do you add by sending two packets at 750 over one at 1500 and how much bandwidth will you save? Until this problem completely disappears I will keep a copy of DR. TCP on my laptops, I believe you can free copies of it from Cisco (might need to be registered)
No user should EVER think he needs to set this. A hardware manufacturer , or driver writer would.
You are excused since you admit to being clueless on this knowledge.
-- -- --
Help my mini cause: My journal
I didn't think anybody used LISA's anymore ;-)
Anybody know what LISA stands for ?
beauty is only a light switch away
and be sure, like many members of the audience, to fix the sites you administer!
We'll, I'd sure like to know why Over-Zelous Security Administrators Are Breaking The Internet, but it appears that some Under-Zelous Systems Administrator has broken your site
Sorry, a bit OT:
... go look at http://home.earthlink.net/~jaymzh666/ ... it's one of the IPFilter guys! Good going, Phil! Thanks for all your work supporting IPFilter! (And props to Darren, if you read this)
I thought I recognized that URL
Why on earth do idiots feel the need to bastardize everything. This whole thing is about PPOE not MTU size. The better solution is to get rid of the bastardization (PPOE) .
Got Code?
The linked paper seems to be broken, and I'm feeling rather lost in this sea of acronyms...
"other less-than-1500-MTU-protocols to be unable to view the sites"
And yet dialup users have always been able to view the site. (They use sub 500 values)
Seems to me something else is wrong.
The PDF on this mirror seems to work.
-------
Warning: Slashdot may contain traces of nuts.
i love the fact that the slideshow presentation is available in Open Office format (.sxi)
sure would love to see more of this in the real world.
There needs to be more awareness in the internet world about not breaking some of the underlying technologies. What the authors are talking about is sites with fuckheaded admins who blindly block all ICMP traffic with their firewalls.
Path Maximum Transmission Unit Discovery, ICMP type 3 code 4, is sent to an IP stack telling it to send smaller IP packets so the packets don't get fragmented along the way. When nearly 75% of broadband users in Europe are forced to use PPPOE, they count on a working PMTUD message making things work.
There is a workaround, called MSS clamping, built into Roaring Penguin PPPOE (great software, guys!) which tweaks the TCP stack for web traffic. Unfortunately, it breaks all kinds of other traffic which doesn't expect the MSS to change.
So this paper is a good start to informing network admins there is no security risk in allowing some types of ICMP traffic. MSS clamping and PMTUD problems were a main topic of coffee break discussions at the last RIPE meeting. Now it remains to convince the firewall manufacturers to change their defaults so that they aren't breaking more and more of the internet. Adding this information to Firewall-HOWTOs would also be a good idea.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
And here is a mirror for the slides.
-------
Warning: Slashdot may contain traces of nuts.
Also, the PDF seems to be broken. It won't display on my system. (Anyone else have that problem?)
Overall, pretty impressive.
The version on the USENIX site seems at least to have the correct spelling in the title, but you need a password to download the PDF there.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
"should be set to" could also mean "should already be set to", and not just "you should set this to".
If the packet size is less than 1458 then Cisco Express Forwarding is used to forward the packet to its destination, whilst above 1458 the hardware will inspect the packet, make a number of descsions and then forwarded it.
thank God the internet isn't a human right.
Assuming you use your linux machine as a router there is a solution. Using a recent distro/kernel there should be an ipt_TCPMSS module available. Running iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss -to-pmtu "does the trick" of adjusting packet sizes. Sites like CERT, SecurityFocus or GMX.de are accessible then.
Further readings here and here.
I wonder if this is related... I had for awhile used a D-Link 'router, just a little one, on a PPPoE line. Well, for the most part it worked well, but sometimes it would just drop connections. (very annoying that several times a night ssh sessions would die.) I finally narrowed it down to certain pages/streams(streaming mp3) would cauase it(the dlink) to reset. I also have heard of somewhat similar problems with the linksys versions of the same.
So, my question would be, did anyone else have these problems? Is it maybe related, or just a bad PPPoE setup in those 'routers'?
On another related note, I replaced the D-Link with an OpenBSD firewall, and haven't looked back... performance increase was moderate, and control I have over it is just great... Will never try to get out easy on a firewall/NAT thing again, just do it right the first time:)
If I was that drunk, I would have remembered it -- H. Simpson
Just noticed this in the netfilter section of linux config file:
Don't know about you but myself I can't remember actually using this nf option... ;-)
Maybe the reason is I always let the ICMP packets go
Any thoughts about those other dangers of blocking ICMP3,4 ?
So to sum up your post: You're here, you're queer and you aren't going anywhere.
"You are excused since you admit to being clueless on this knowledge."
You are not excused for your arrogance, however.
As a frequent visitor of www.xyz.com...
:)
:)
The companies they mail must be seriously confused as to what this has to do with their site...
Jokes aside, that "frequent visitor" phrase is nice, and _may_ help getting their message through to the right persons.
But probably not - and it is lying (which is easy to deduce when visiting their site - the url is given in the same mail). Pretending to be a regular visitor may hurt these guys in the long run, even if they do stuff for a good cause... I don't know if they do, I read the explanations and still couldn't figure out if this was something worth bothering about.
The paper wouldn't open for me either. I'm running Acrobat 4.0 on Win95 (hey, it's fast, dude). Someone can probably advise him on saving it in compatible mode or something like that.
One simple rule for its versus it's
I think it's utopic to think one can fix so many's ISPs problems. It's like closing open relays, even with big real-time blocking lists, a lot still slip thru.
A good paper explaining MTU/MSS is on Cisco. If your ISP can't just 'adjust-mss' on his router, either he will fragment a lot and drop the DF (don't fragment) packets, or you will have to use Dr TCP to fix the MTU on your side.
have you been defaced today?
For PPPoE links this should be set to 1492.
4 /
u r_Modem_with_MTU_and_MRU.html
Sometimes. Sometimes less. I actually ran into this problem with my old DsL connection; I couldn't reach the "My Yahoo" series of sites, of all places. I don't know about a full-blown academic paper on the subject, but here are a couple of references you might find useful if you're on PPPoE and you find sites mysteriously unreachable:
windows : http://www.winguides.com/registry/display.php/110
Linux: http://www.linuxnewbie.org/nhf/Modems/Tweaking_Yo
Basically, what you do is ratchet down the MTU until you can see the sites you weren't able to before. It might only need to be reduced to 1492; maybe lower, though.
These were both near the top of the google list for their respective searches; dozens more are obviously available through the same proceedure.
If you don't use PPPoE and want to test some of these theories, you can try a "ifconfig eth0 mtu 1400" where eth0 is your network connection.
put the what in the where?
Bugger what some textbook says it means, RFC1191 where "Path MTU Discovery" is defined clearly says its "Maximum Transmission Unit" -- you'd think folks campaigning to get people to follow the RFCs would read them more closely.
And RFC791 where MTU was itself defined (among other things) also says it means "Maximum Transmission Unit."
Anyone checked this with Cisco TAC? Sounds like a bug.
Please help me understand this initiative by not making up words. Yes, I can guess the meaning, but if that's the purpose (i.e. to keep the audience guessing) then why not just post random text? If the goal is to demonstrate you k3wlne55, then post in haCk15h. If the goal is to convey an idea, sway public opinion, convince a group of skeptics, form a consensus, and ultimately, build a coalition, you might want to consider restricting your phraseology to a more mainstream subset of English.
This is only a suggestion.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Astonishingly, the paper neglected to mention the best solution for site admins that I have yet seen for the problem -- rate limiting as a protection from DoS attacks. Cisco describes their implementation of this at http://www.cisco.com/warp/public/63/car_rate_limit _icmp.html. I don't know how widespread router vendor support for this is, but the concept is spot-on.
If behaviors which are normally both legal and helpful can turn deadly when they take on a certain pattern then don't blanketly prohibit the behavior, identify when that pattern is developing and then cut it off. Wasn't that the whole concept behind stateful packet inspection anyways?
Heard the saying "just enough knowledge to be dangerous"? That's a good way to describe folks who think they need to disallow ICMP 3,4 to secure themselves from DoS attacks.
t _icmp.html for a description of how to do it right.
Allowing ICMP 3,4 at your firewall does not make your site more vulnerable if have enough knowledge to do it right. See http://www.cisco.com/warp/public/63/car_rate_limi
Has anyone else noticed that DoS attacks using ICMP type 3 code 4 packets (aka "smurf" attack) bear an incredible likeness to the so-called "Slashdot Effect"? Particularly if you recognize the "Slashdot Effect" as a DoS through HTTP overload.
1) both result from overuse of a normally benign (even helpful) protocol
2) both can be mounted using relatively few resources on the attacker's end (set your MTU real low and send a lot of small packets for which the RFCs require a response)
3) both result in DoS to the attacked site.
No respectable security/firewall vendor would seriously consider proposing that their routers/firewalls should permanently block all HTTP traffic in order to protect their site from a potential DoS attack using that protocol. It should have been no more acceptable to the Internet community when they proposed that for ICMP type 3 code 4 packets.
So the lesson is -- don't shut down ICP type 3 code 4 packets, limit them; don't shut your site down when you're slashdotted, limit your HTTP attacks!
I think the arrogant jerks that violate the rules of internet RFCs should be outed or blacklisted.
Okay, maybe my feelings are a little less strong, but I feel frusteration about this as well. However...
Boo to arrogant linux-bsd-oriented self appointed security experts.
What in God's name does this have to do with Linux or BSD? If anything, I find overzealous network admins to be more frequently Windows-oriented (let's block random attachments because they might contain executables that are easy to execute with our company's default mailer!).
Actually, I'd like to see more network admins handle ECN. It's been around in Linux for a while now, and it helps everyone, and network admins are doing jack and shit about it.
What we need is MS to put out a new OS with ECN support so that network admins fix their routers/firewalls.
May we never see th
Try this link for the PDF, make sure IE downloads a ".pdf.gz" (not a ".pdf"), and run the file through GZIP. Acrobat should display it properly then.
ip tcp adjust-mss 1460
These guys are setting a good example. Their 7-page PDF is 80KB expanded, 24KB zipped. That's for 20K non-space formatted characters plus a simple figure. Less formatting overhead than the average HTML 3.0 page. Looks good, too; it is groff output run through Distiller and it renders well on Acrobat Reader and is typeset well.
grammar is spelled "g-r-a-m-m-a-r"!!
Boot a Linux cd (Debiang GNU/Linux for me, but you should start with mandrake) and use it to ERASE DOS(winshit 5.1 is DOS) and install a real operating system (Linux, or any UNIX derivitive) in place of it. Then install xpdf and galeon ('apt-get install xpdf galeon' in Debian and 'urpmi xpdf galeon' in Mandrake). Run Galeon in X and view the page. TaDa!
You can download ISO images of both Debian GNU/Linux and Mandrake at LinuxISO.org.
You can't judge a book by the way it wears its hair.
how long would a lisa last before exploding from the /. effect?
I have wondered for some time why is the MTU exactly 1500. I found out why the smallest is 64 (48+headers). But why 1500? is it because it is a nice round number?
Just got back from LISA, where all the good presentations were double-booked and the CD-ROM of the slides cost another couple hundred over and above the $695 (Usenix member's price!) for the conference itself. I don't think I'll be going to the next one -- not if they don't at least include an electronic copy of the procedings.
/. Let's do Dan Klein on "Constitutional and Financial Arguments Against Spam" next.
Saw the blurb in the LISA program (it appeared as "Overzealous Security Administrators Are Breaking the Internet" -- sheah, right, let's put six exclamation points on it) but had no idea what it was about until I got to this article.
Score one for
"Ain't no right way to do a wrong thing."
For those who noticed the 'local copy' of the PDF was toast, earthlink's servers were somehow nuking the PDF on download... but a nice gzip'd fixed it as well as limiting the slashdot effect (I'm shocked earthlink hasn't shut the site down yet - yay for text sites). Phil MSS Initiative
And if you don't have a cisco router capable of rate limiting in front of your network?
I don't see a similiar option in most firewall packages (Though I've not much experience with Firewall-1 and Quantlet). I had thought of this, however sysadmins rarely (at least in my experience) don't touch the router configs. So should this "initiative" be targeted at network admins instead?
I think the arrogant jerks that violate the rules of internet RFCs should be outed or blacklisted.
You are absolutely right. Everyone using PPPoE should be banned from using the Internet. PPPoE is a _COMPLETELY_ broken protocol. If enough sites refuse to service people using such a cracked protocol, then maybe it will go away. In fact, I am going to go misconfigure the sites that I administer to make sure that they do not work with PPPoE.
I will not let anyone I know use PPPoE. I have advised every single one of them to get cable modems with DHCP instead.
The telephone companies are the only ones pushing PPPoE. Do we really want a bunch of morons who can't run an analog phone network dictate how the Internet operates? Just about everyone in my family has worked for a Telco, and frankly, I would not let any of them near a computer even if my life depended on it.
PPPoe is here and now and growing EVERY DAY, as people lose the ability and right to have static IP or long DHCP leases.
The "right" to have a static IP? I do not even know what that means. As for long DHCP leases, how about this for an idea, short DHCP leases!
PPPoE is a hack and it should die a horrible death. If you want to use the Internet, get a real internet connection or go back to using AOL.
-sirket
People also use "iso", "rs" and "ansi" for "ISO 9660", "EIA RS-232", and "ANSI X3.64", respectively.
I guess that the name of the standards organization should be enough. No need for these pesky numbers.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
> PPPoe is here and now and growing EVERY DAY, as people lose the ability and right ot have static IP or long DHCP leases.
Since when was a static IP address a right?
I think that before you could decide that everyone had a right to a static IP address, you should count the people in the world, and the total number of possible IPv4 IP Addresses.
I think it's more like it's everyone's responsibility to not use a static IP unless they really need it, at least until IPv6 is the standard on the net..
Of course, by then, we will have suffered an ice age, been blasted with raidiation from having the magnetic poles disapear, and watched civilization collapse due to the Y10k problem....so static IP addresses probably wont be top on everyone's mind...
Advanced users are users too!
good cisco paper that explains the whole MTU, MSS, fragmentation business (includes pretty pictures :)
o logies_white_paper09186a00800d66f2.shtml
Also explains how this relates to GRE & IPSec tunnels not working.
http://www.cisco.com/en/US/tech/tk648/tk369/techn
They give out static IP addresses and allow those who know how to do it and can keep their boxen patched the ability to run servers. They even have their own game server too! How cool is that?
Sorry about those in the other 49 states...PPPoE sucks.
Knowledge is power. Knowledge shared is power multiplied.
It's an obvious solution. If you accept all traffic from a known connection then why not also the housekeeping ICMP ??
The copy of IP header plus part of L4 header in data field of ICMP is enough to associate it to a known connection. Question is, how difficult can it be forged by an attacker? For TCP, it is like guesing seq. number..
Stateful ICMP should be allowed by default, so that moderate admins will leave it enabled. For paranoids, there could be an enable option.
I am not restricting only to ICMP 3, code 4. The same could also be applied to other unreachables (e.g. for traceroute)
BranoZ
"Yes, let's consider," said Bruno, putting his thumb into his
mouth again, and sitting down upon a dead mouse.
"What do you keep that mouse for?" I said. "You should either
bury it or else throw it into the brook."
"Why, it's to measure with!" cried Bruno. "How ever would you
do a garden without one? We make each bed three mouses and a half
long, and two mouses wide."
I stopped him as he was dragging it off by the tail to show me
how it was used...
-- Lewis Carroll, "Sylvie and Bruno"
- this post brought to you by the Automated Last Post Generator...