Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1529
  • Last Modified:

Juniper SSG320M Teardrop Attack

We currently have a Juniper SSG320M at our colo and a SSG140 at our home office, we are running over an IPSEC VPN from our home office to our colo. I am getting Teardrop attack alerts every hour or so at our colo, the interesting thing is its reporting the attack coming from our home office IP. I already have Teardrop protection turned on at both locations for the Trust and Untrust interfaces. I am just having trouble figuring out why these attacks are occurring and where they are generated from. Any help in this matter would be great.
Thanks -Chad-

Teardrop attack! From 67.xxx.xxx.xxx to 63.xxx.xxx.xxx, proto 50 (zone Untrust, int ethernet0/2). Occurred 1 times.
0
PMICORP
Asked:
PMICORP
  • 2
  • 2
2 Solutions
 
btanExec ConsultantCommented:
Teardrop attacks occur when fragmented IP packets overlap and cause the host attempting to reassemble the packets to crash. The teardrop option directs the device to drop any packets that have such a discrepancy.

Since Teardrop is related to the reassembly of fragmented packet, possibly check the complete path from the src ssg to dest ssg5 for any fragmentation.
 
Also, the below link might be helpful for you.
http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/understanding-teardrop-attacks.html

Just a slight note, Tear Drop attacks are not errors on the firewall. They are what the firewall thinks is an attack and is being dropped by the firewalls basic built in IDP functionality (aka screens). Screens do basic signature matching looking for canned attacks, Tear Drop included. This can be likely a false positive (assuming you know the source/dest IP).

Dor the case of trigger it stated proto 50 which is juniper ipsec vpn tunnel if I am nit wrong..hopefully not some vpn related.  If can test without vpn to also see if alert still happen
0
 
PMICORPAuthor Commented:
Thanks for your replay, I understand what a Teardrop is I do not understand why it is occurring and how I prevent it from occurring. I also understand that it has to be happening because of the VPN connection from our home office to our colo, we have never had issues in the past this is something new and I would like to eliminate the problem. Thanks
0
 
btanExec ConsultantCommented:
If the traffic capture along the change relfect the discrepancy in the fragment offset then maybe we can isolate the solution. It looks like vpn been in placed may have created fragments. This can be a good case to raise to juniper support folks, probably a smaller mtu is needed to suite the ipsec encapsulation. Just soem quick thoughts
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This pretty much sounds like an MTU issue, and failing handling on the client side. First item to check for is the ScreenOS releases involved. The should be up-to-date. I cannot remember having seen any mentioning of Teardrop in the release notes of the last years, but that doesn't mean much ;-).
And the point about asking JTAC is a very good one. It is an issue between two SSGs, so should be easy to debug if occuring more often.
0
 
PMICORPAuthor Commented:
Thanks for the advice updating to the latest firmware has resolved the issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now