Teardrop Attack

[technical1]

Good Morning,
I noticed the following entry in my syslog file:

2003-09-09 11:34:09 Local7.Critical 172.16.1.1 %PIX-2-106020: Deny IP teardrop fragment (size = 20, offset = 8) from 192.168.40.84 to ex.ter.nal.ip

I read the following article:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm#49753

and it says to escalate this issue.
Any ideas on how to protect my pix against this?

Regards,
Vinay

 

[themut]

Are you getting a lot of these messages or only a couple of them? If you are sporadically getting one of these messages then it may be a false positive alarm. Try to determine the activities on the internal machine 192.168.40.84.

 

[technical1]

Hi themut,
Thanks for your reply.
I get around 8 of these a day.

Trouble is the only internal networks I have are:
192.168.245.*
192.168.246.*
172.16.1.*

So I dont know how this 192.168.40.84 address is being recorded.

 

[themut]

You may configure the command "ip verify reverse-path interface inside" this will protect your inside interface from attacks orginating on the internal LAN using spoofing techniques.

 

[technical1]

Hi themut,
Would you have any ideas how they could use such a source address of 192.168.40.84? These addresses are not supposed to be routed via the internet.

Also would adding the above command cause any impact on a 'live' pix.

 

[dopehead]

It is called spoofing, as far as i recall Teardrop is either ICMP or UDP based, so no session is established, a sender can send packets with a source that is not really his and this way try to cover his tracks, and maybe also get through badly configured firewalls at the same time.

Jan