Hot rodding PCs cause online banking problems
- 23 July, 2002 22:00
Some DSL users are having trouble accessing online banking sites, especially if they've been tweaking their registry settings to achieve maximum speed.
The DSL mailing list reports several people having difficulty using secure banking sites: users report being able to log on but then not being able to transact any business using the sites. The problem isn't restricted to any one bank, and seems to stem from banks blocking internet control message protocol (ICMP) messages.
ASB Bank security specialist Darren Bilby says the problem doesn't affect many customers. Problems tend occur when users have been "hot-rodding" - tinkering with the maximum transmission unit (MTU) size in their registry setting to improve throughput.
"If someone's done some really crazy tweaking at their end then it could potentially cause an issue."
He's only seen two complaints over the issue in four years. He says such users typically fix their own problem by "tinkering under the hood" which could help explain why so few problems are reported to the bank.
Bilby says the problem starts when traffic arrives at the web server at the bank.
"We send a response back saying 'don't fragment this packet' and we're going to send it at 1500 bytes," which is the standard size. The packet then travels back to the user via a generic routing encapsulation (GRE) protocol tunnel, which will only accept packets that are smaller than 1476 bytes.
"It says 'this packet is too big' so it can't send it on but it's not allowed to fragment it either, so it says 'I'll generate an ICMP message'." However, the ICMP message doesn't get sent to the banks because the banks filter ICMP and the message eventually times out.
"It's one of those things where our standard policy is if we don't need it and it's no great issue, lets leave it off," says Bilby.
Bilby says the issue usually only occurs with larger packets, and that typically happens after the user has logged on and is requesting a larger file, like an account statement.
"Often a user can log on to a website that is blocking all ICMP but can't retrieve larger web pages such as a large balance screen or statement listings."
WestpacTrust's head of e-business, Stu Woolett, says his bank also filters out all ICMP traffic for similar reasons.
"We try to keep entry rules [to the network] as tight as possible to what we specifically want in there on the basis that anything else could be bad. We don't need to support ICMP traffic, therefore it is excluded."
Woolett says WestpacTrust hasn't heard of any problems along these lines but also says if users are capable of tweaking MTU settings they're probably fixing their own problems.