Firewall stateful handling of ICMP packets

Valdis.Kletnieks at Valdis.Kletnieks at
Thu Dec 4 03:53:51 UTC 2003

On Wed, 03 Dec 2003 15:57:37 PST, Owen DeLong <owen at>  said:

> around.  (In fact, I'm hard pressed to imagine how a Frag needed packet
> for an invalid session could do much of anything).

You can use a forged 'frag needed' to stomp an existing connection of the
victim's down to 64 byte MTU or similar silliness, but other than sheer
"it's a packet" DDoS effects, I can't think of a malicious use for one for
an invalid session either....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list