I have a host at site B which is connected via Smoothwall firewalls/vpn to site A, the main office. I am getting a steady stream of the following alerts from snort on the host at site B as shown below
Code:
snort[18420]: [1:3626:1] ICMP PATH MTU denial of service [Classification: Attempted Denial of Service] [Priority: 2]: {ICMP} 192.168.x.x -> 192.168.x.x
which occurs every 5 mins so I decided to use tcpdump to isolate the traffic and have a look at it
Code:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
02:05:36.180774 IP (tos 0xc0, ttl  64, id 12078, offset 0, flags [none], proto: ICMP (1), length: 576) router.mydomain.com > host_siteB.mydomain.com: ICMP host_siteA.mydomain.com unreachable - need to frag (mtu 1443), length 556
        IP (tos 0x0, ttl  63, id 43507, offset 0, flags [DF], proto: TCP (6), length: 1500) host_siteB.mydomain.com.mit-ml-dev > host_siteA.mydomain.com.60268: . 594521442:594522890(1448) ack 3370043923 win 5792 <nop,nop,timestamp 591791251 632888320>[|icmp]
It looks to me that the alert is genuine, the packet is doing the mtu thingy to reduce throughput which looks like a DoS to snort. Can I fix this to actually work normally without having to write a pass for the rule?

Is something not quite right with my network setup? I have seen this on my workstation when sshing into the firewall at siteA and then sshing to my workstation from there. It seems that the firewalls are sending these packets, but I'm not entirely sure why. Perhaps the links in between are limited to 1443 rather than 1500. Would trying to increase to 1500 help?

Is smoothwall being silly or is it just trying to please the upstream connection by limiting mtu to 1443?

Any recommendations?