Juniper SSG320M Teardrop Attack

Posted on 2014-01-13
Last Modified: 2014-01-20
We currently have a Juniper SSG320M at our colo and a SSG140 at our home office, we are running over an IPSEC VPN from our home office to our colo. I am getting Teardrop attack alerts every hour or so at our colo, the interesting thing is its reporting the attack coming from our home office IP. I already have Teardrop protection turned on at both locations for the Trust and Untrust interfaces. I am just having trouble figuring out why these attacks are occurring and where they are generated from. Any help in this matter would be great.
Thanks -Chad-

Teardrop attack! From to, proto 50 (zone Untrust, int ethernet0/2). Occurred 1 times.
Question by:PMICORP
  • 2
  • 2
LVL 62

Expert Comment

ID: 39778548
Teardrop attacks occur when fragmented IP packets overlap and cause the host attempting to reassemble the packets to crash. The teardrop option directs the device to drop any packets that have such a discrepancy.

Since Teardrop is related to the reassembly of fragmented packet, possibly check the complete path from the src ssg to dest ssg5 for any fragmentation.
Also, the below link might be helpful for you.

Just a slight note, Tear Drop attacks are not errors on the firewall. They are what the firewall thinks is an attack and is being dropped by the firewalls basic built in IDP functionality (aka screens). Screens do basic signature matching looking for canned attacks, Tear Drop included. This can be likely a false positive (assuming you know the source/dest IP).

Dor the case of trigger it stated proto 50 which is juniper ipsec vpn tunnel if I am nit wrong..hopefully not some vpn related.  If can test without vpn to also see if alert still happen

Author Comment

ID: 39779369
Thanks for your replay, I understand what a Teardrop is I do not understand why it is occurring and how I prevent it from occurring. I also understand that it has to be happening because of the VPN connection from our home office to our colo, we have never had issues in the past this is something new and I would like to eliminate the problem. Thanks
LVL 62

Assisted Solution

btan earned 250 total points
ID: 39779442
If the traffic capture along the change relfect the discrepancy in the fragment offset then maybe we can isolate the solution. It looks like vpn been in placed may have created fragments. This can be a good case to raise to juniper support folks, probably a smaller mtu is needed to suite the ipsec encapsulation. Just soem quick thoughts
LVL 69

Accepted Solution

Qlemo earned 250 total points
ID: 39792439
This pretty much sounds like an MTU issue, and failing handling on the client side. First item to check for is the ScreenOS releases involved. The should be up-to-date. I cannot remember having seen any mentioning of Teardrop in the release notes of the last years, but that doesn't mean much ;-).
And the point about asking JTAC is a very good one. It is an issue between two SSGs, so should be easy to debug if occuring more often.

Author Closing Comment

ID: 39794792
Thanks for the advice updating to the latest firmware has resolved the issue.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Firewall port opening 2 67
slow vpn connection 9 64
Site-To-site VPN Natting inbound traffic? 9 64
Juniper SRX3600 - block all traffic to two IP's 5 16
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question