[Dshield] UDP breaking after MS05-019?

Rob Webb PacketHunter at comcast.net
Wed May 4 22:25:04 GMT 2005


The issue happens with large UDP packets attempting to cross VPN tunnels.
Since most network segments (and all Ethernet ones) will not support MTUs of
packets larger than 1500, Path MTU Discover was used.  This allowed routers,
firewalls, VPNs (Layer-3 devices) to notify a host that the packet it
received (with the "Don't Fragment" bit set) would not fit into the outbound
interface.  VPNs require that the received packet have an additional header
added to them so the original one can be encrypted.  This takes a packet
that may already have been 1500 bytes, adds an additional 60 to 80 bytes
(depending upon encryption/encap methods)...and now exceeds the 1500 byte
max.  Originally, the device that discovered the packet to be too large
would issue an ICMP to tell the sending host to send it again...this time
smaller...

If you want to "fix" this, set the MTU on your interface down to 1400 bytes.
This requires a registry change...so be careful.  But it will allow you to
run the patch (and thus be protected from this vulnerability) and still work
across VPNs. 


--Rob 


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Nelson Andrew - Systems Security
Sent: Wednesday, May 04, 2005 3:17 PM
To: General DShield Discussion List
Subject: RE: [Dshield] UDP breaking after MS05-019?

Yes - We've had problems with our remote sites (connected via VPN)
connecting to any of our Windows based servers. It was bad enough that we
had to take this patch off of all windows servers that were being used by
our remote sites.
 

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of David McGaughey
Sent: Wednesday, May 04, 2005 11:14 AM
To: list at dshield.org
Subject: [Dshield] UDP breaking after MS05-019?

Seems there was a bug in MS05-019 and SP1 for 2003.  See:

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;898060

 

I'm experiencing situations where UDP stops routing over WANs from our
Windows servers.  Anyone else having trouble?

 

David McGaughey, GSEC, GSNA

About:  http://mcgoy.plumbearcat.com/RESCOMPU.htm

 

-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list