[techtalk] sshd recvd big packet?
Raven, corporate courtesan
damask0 at yahoo.com
Fri May 25 10:44:36 EST 2001
Heya --
Quoth Brian:
> I'm getting the following in my logs for a few different machines:
>
> sshd[8683]: channel 3: rcvd big packet 2908, maxpack 2048
> sshd[8683]: channel 3: rcvd big packet 2940, maxpack 2048
Ssh only accepts packets that are 2048 bytes or smaller in size
(maxpack 2048). This is sensible -- the biggest unfragmented packets
that generally make it across the Internet are 1500 bytes or so. IP
packets can range anywhere from 64 bytes to 65535 bytes in size and
still be in conformance with the RFC defining IP (can't remember the
number at the moment), but most programs and protocols limit the upper
size of packets they will accept. Ssh will only accept 2048 bytes and
smaller IP packets. (Many TCP/IP stacks don't deal with IP packets
over 4 Kb.)
There is a ssh buffer-overflow attempt that uses an oversize
packet to attack ssh daemons (the crc32 attack). It doesn't work on
recent versions of ssh, so you may be seeing an unsuccessful attempt
here. See http://lwn.net/2001/0222/a/crc32analysis.php3 and then
http://archives.neohapsis.com/archives/vuln-dev/2001-q2/0294.html for
details of the hole.
I don't know why else someone would be sending your ssh oversize
packets. It's not common. I'm sure there are other possible causes,
though.
Cheers,
Raven
=====
"Passion, hunger, will, and ice cream create their own world
in which the word 'after' simply doesn't make any sense.
Ice cream is now."
-- Starhawk, "The Twelve Wild Swans"
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
More information about the Techtalk
mailing list