Go Premium for a chance to win a PS4. Enter to Win


Juniper SSG320M Teardrop Attack

Posted on 2014-01-13
Medium Priority
Last Modified: 2014-01-20
We currently have a Juniper SSG320M at our colo and a SSG140 at our home office, we are running over an IPSEC VPN from our home office to our colo. I am getting Teardrop attack alerts every hour or so at our colo, the interesting thing is its reporting the attack coming from our home office IP. I already have Teardrop protection turned on at both locations for the Trust and Untrust interfaces. I am just having trouble figuring out why these attacks are occurring and where they are generated from. Any help in this matter would be great.
Thanks -Chad-

Teardrop attack! From 67.xxx.xxx.xxx to 63.xxx.xxx.xxx, proto 50 (zone Untrust, int ethernet0/2). Occurred 1 times.
Question by:PMICORP
  • 2
  • 2
LVL 65

Expert Comment

ID: 39778548
Teardrop attacks occur when fragmented IP packets overlap and cause the host attempting to reassemble the packets to crash. The teardrop option directs the device to drop any packets that have such a discrepancy.

Since Teardrop is related to the reassembly of fragmented packet, possibly check the complete path from the src ssg to dest ssg5 for any fragmentation.
Also, the below link might be helpful for you.

Just a slight note, Tear Drop attacks are not errors on the firewall. They are what the firewall thinks is an attack and is being dropped by the firewalls basic built in IDP functionality (aka screens). Screens do basic signature matching looking for canned attacks, Tear Drop included. This can be likely a false positive (assuming you know the source/dest IP).

Dor the case of trigger it stated proto 50 which is juniper ipsec vpn tunnel if I am nit wrong..hopefully not some vpn related.  If can test without vpn to also see if alert still happen

Author Comment

ID: 39779369
Thanks for your replay, I understand what a Teardrop is I do not understand why it is occurring and how I prevent it from occurring. I also understand that it has to be happening because of the VPN connection from our home office to our colo, we have never had issues in the past this is something new and I would like to eliminate the problem. Thanks
LVL 65

Assisted Solution

btan earned 1000 total points
ID: 39779442
If the traffic capture along the change relfect the discrepancy in the fragment offset then maybe we can isolate the solution. It looks like vpn been in placed may have created fragments. This can be a good case to raise to juniper support folks, probably a smaller mtu is needed to suite the ipsec encapsulation. Just soem quick thoughts
LVL 71

Accepted Solution

Qlemo earned 1000 total points
ID: 39792439
This pretty much sounds like an MTU issue, and failing handling on the client side. First item to check for is the ScreenOS releases involved. The should be up-to-date. I cannot remember having seen any mentioning of Teardrop in the release notes of the last years, but that doesn't mean much ;-).
And the point about asking JTAC is a very good one. It is an issue between two SSGs, so should be easy to debug if occuring more often.

Author Closing Comment

ID: 39794792
Thanks for the advice updating to the latest firmware has resolved the issue.

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question