Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Juniper SSG320M Teardrop Attack

Posted on 2014-01-13
Medium Priority
Last Modified: 2014-01-20
We currently have a Juniper SSG320M at our colo and a SSG140 at our home office, we are running over an IPSEC VPN from our home office to our colo. I am getting Teardrop attack alerts every hour or so at our colo, the interesting thing is its reporting the attack coming from our home office IP. I already have Teardrop protection turned on at both locations for the Trust and Untrust interfaces. I am just having trouble figuring out why these attacks are occurring and where they are generated from. Any help in this matter would be great.
Thanks -Chad-

Teardrop attack! From to, proto 50 (zone Untrust, int ethernet0/2). Occurred 1 times.
Question by:PMICORP
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 64

Expert Comment

ID: 39778548
Teardrop attacks occur when fragmented IP packets overlap and cause the host attempting to reassemble the packets to crash. The teardrop option directs the device to drop any packets that have such a discrepancy.

Since Teardrop is related to the reassembly of fragmented packet, possibly check the complete path from the src ssg to dest ssg5 for any fragmentation.
Also, the below link might be helpful for you.

Just a slight note, Tear Drop attacks are not errors on the firewall. They are what the firewall thinks is an attack and is being dropped by the firewalls basic built in IDP functionality (aka screens). Screens do basic signature matching looking for canned attacks, Tear Drop included. This can be likely a false positive (assuming you know the source/dest IP).

Dor the case of trigger it stated proto 50 which is juniper ipsec vpn tunnel if I am nit wrong..hopefully not some vpn related.  If can test without vpn to also see if alert still happen

Author Comment

ID: 39779369
Thanks for your replay, I understand what a Teardrop is I do not understand why it is occurring and how I prevent it from occurring. I also understand that it has to be happening because of the VPN connection from our home office to our colo, we have never had issues in the past this is something new and I would like to eliminate the problem. Thanks
LVL 64

Assisted Solution

btan earned 1000 total points
ID: 39779442
If the traffic capture along the change relfect the discrepancy in the fragment offset then maybe we can isolate the solution. It looks like vpn been in placed may have created fragments. This can be a good case to raise to juniper support folks, probably a smaller mtu is needed to suite the ipsec encapsulation. Just soem quick thoughts
LVL 71

Accepted Solution

Qlemo earned 1000 total points
ID: 39792439
This pretty much sounds like an MTU issue, and failing handling on the client side. First item to check for is the ScreenOS releases involved. The should be up-to-date. I cannot remember having seen any mentioning of Teardrop in the release notes of the last years, but that doesn't mean much ;-).
And the point about asking JTAC is a very good one. It is an issue between two SSGs, so should be easy to debug if occuring more often.

Author Closing Comment

ID: 39794792
Thanks for the advice updating to the latest firmware has resolved the issue.

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question