UDP fragments , legitimate ?

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* UDP fragments , legitimate ?
@ 2012-12-14 20:06 叶雨飞
  2012-12-14 21:00 ` Brad Silva
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: 叶雨飞 @ 2012-12-14 20:06 UTC (permalink / raw)
  To: netfilter@vger.kernel.org

This is more like a general networking question

Is there legitimate use of UDP fragments in the wild? have you seen
commonly used application sending/receving UDP packets that is large
than MTU ? Is it safe to assume such traffic is nothing but dumb
attacks?

Thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: UDP fragments , legitimate ?
  2012-12-14 20:06 UDP fragments , legitimate ? 叶雨飞
@ 2012-12-14 21:00 ` Brad Silva
  2012-12-15  1:31   ` Amos Jeffries
  2012-12-17 10:04 ` Michal Kubecek
  2012-12-17 21:27 ` Eliezer Croitoru
  2 siblings, 1 reply; 5+ messages in thread
From: Brad Silva @ 2012-12-14 21:00 UTC (permalink / raw)
  To: 叶雨飞, Netfilter Users Mailing list

I know that NFS over UDP commonly sends packets that are much larger
than the MTU (as much as 32KB per).

However, it's very unlikely that you would see NFS outside your
firewall.  Also, most NFS these days is over TCP.

Brad

On Fri, Dec 14, 2012 at 12:06 PM, 叶雨飞 <sunyucong@gmail.com> wrote:
>
> This is more like a general networking question
>
> Is there legitimate use of UDP fragments in the wild? have you seen
> commonly used application sending/receving UDP packets that is large
> than MTU ? Is it safe to assume such traffic is nothing but dumb
> attacks?
>
> Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: UDP fragments , legitimate ?
  2012-12-14 21:00 ` Brad Silva
@ 2012-12-15  1:31   ` Amos Jeffries
  0 siblings, 0 replies; 5+ messages in thread
From: Amos Jeffries @ 2012-12-15  1:31 UTC (permalink / raw)
  To: Netfilter Users Mailing list

On 15/12/2012 10:00 a.m., Brad Silva wrote:
> I know that NFS over UDP commonly sends packets that are much larger
> than the MTU (as much as 32KB per).
>
> However, it's very unlikely that you would see NFS outside your
> firewall.  Also, most NFS these days is over TCP.

HTCP protocol used by HTTP proxies to communicate between cluster peers 
can contain up to 64KB packets.

Amos


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: UDP fragments , legitimate ?
  2012-12-14 20:06 UDP fragments , legitimate ? 叶雨飞
  2012-12-14 21:00 ` Brad Silva
@ 2012-12-17 10:04 ` Michal Kubecek
  2012-12-17 21:27 ` Eliezer Croitoru
  2 siblings, 0 replies; 5+ messages in thread
From: Michal Kubecek @ 2012-12-17 10:04 UTC (permalink / raw)
  To: 叶雨飞; +Cc: netfilter@vger.kernel.org

On Fri, Dec 14, 2012 at 12:06:12PM -0800, 叶雨飞 wrote:
> 
> Is there legitimate use of UDP fragments in the wild? have you seen
> commonly used application sending/receving UDP packets that is large
> than MTU ? Is it safe to assume such traffic is nothing but dumb
> attacks?

About one year ago I've seen (fragmented) aproximately 3KB packets of
JXTA protocol. But I have no idea how JXTA works so I don't know whether
this size is normal or just a result of their configuration.

                                                          Michal Kubecek


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: UDP fragments , legitimate ?
  2012-12-14 20:06 UDP fragments , legitimate ? 叶雨飞
  2012-12-14 21:00 ` Brad Silva
  2012-12-17 10:04 ` Michal Kubecek
@ 2012-12-17 21:27 ` Eliezer Croitoru
  2 siblings, 0 replies; 5+ messages in thread
From: Eliezer Croitoru @ 2012-12-17 21:27 UTC (permalink / raw)
  To: 叶雨飞; +Cc: netfilter@vger.kernel.org

The basic answer for that is your network usage\users.
A UDP application shouldn't care about MTU since the data Is suppose to 
get from one end to the other.

Also notice that MTU size is not a must since there are also 
Jumbo-frames which are big and many OS can fragment a packet from 1500 
to 400 so this is not really something you can rely on.

If you have specific applications running in your environment you will 
have no problem testing it.

Eliezer

On 12/14/2012 10:06 PM, 叶雨飞 wrote:
> This is more like a general networking question
>
> Is there legitimate use of UDP fragments in the wild? have you seen
> commonly used application sending/receving UDP packets that is large
> than MTU ? Is it safe to assume such traffic is nothing but dumb
> attacks?
>
> Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2012-12-17 21:27 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-14 20:06 UDP fragments , legitimate ? 叶雨飞
2012-12-14 21:00 ` Brad Silva
2012-12-15  1:31   ` Amos Jeffries
2012-12-17 10:04 ` Michal Kubecek
2012-12-17 21:27 ` Eliezer Croitoru

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).