ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Gauravdhingra
Posts: 84
Registered: ‎07-30-2008
0

URGENT: Error Message

Can anybody help me for the below error i am seeing in Netscreen Firewall ISG 1000.

 

What is the cause ? and how can i prevent?

 

Please help.

 

2008-12-24 02:09:05

emer Teardrop attack! From 172.24.1.44 to 130.200.247.119, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:09:01 emer Teardrop attack! From 172.24.1.44 to 130.200.247.119, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:42 emer Teardrop attack! From 172.24.1.44 to 130.200.247.117, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:40 emer Teardrop attack! From 172.24.1.44 to 130.200.247.117, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:17 emer Teardrop attack! From 172.24.1.44 to 130.200.247.113, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:15 emer Teardrop attack! From 172.24.1.44 to 130.200.247.120, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:14 emer Teardrop attack! From 172.24.1.44 to 130.200.247.113, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:13 emer Teardrop attack! From 172.24.1.44 to 130.200.247.19, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:12 emer Teardrop attack! From 172.24.1.44 to 130.200.247.120, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:10 emer Teardrop attack! From 172.24.1.44 to 130.200.247.19, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times.
Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008

Re: URGENT: Error Message

Hi,

 

First and most obviouse is this is probably a Tear Drop Attack which uses overlapping IP fragments to crash vulnerable machines. What you are seeing is an alarm so do: get alarm eve

 

You can also use: get zone <zone name> attack command an view the counters.

 

To block access use screens to block:

 

set zone untrust screen tear-drop

 

Yo may also want to do this for other common attacks like land and winnuke.

 

Regards

 

Gavrilo

Contributor
Gauravdhingra
Posts: 84
Registered: ‎07-30-2008
0

Re: URGENT: Error Message

I have Netscreen ISG 1000 where i dont have zones and Vsys..

 

in this case what i have configure to stop from these attacks?

Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: URGENT: Error Message

Your alarm says  (zone Untrust, int ethernet1/1) so you presumably have a Trust and Untrust zone and who said anything abaout VSys?

 

Do either of the following, where the specified zone is were the attack originates:

 

WebUI

Screening > Screen (Zone: select a zone name): Select Teardrop Attack Protection, then click Apply. 

 

CLI 

set zone zone screen tear-drop

 

Regards

 

Gavrilo

Contributor
fharoon
Posts: 51
Registered: ‎06-21-2008
0

Re: URGENT: Error Message

Hello Gaurav Sometimes such alarms can be generated by genuine traffic (False Positives), have you traced the source/destination IPs to know more about the traffic flow? Packet analysis using a packet sniffer can also be helpful.

 

Regards

 

Farrukh 

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: URGENT: Error Message

I would suggest looking over Concepts & Examples Guides. Refer to the ScreenOS version that you are currently running on your ISG. In particular, look at the Attack Detection and Prevention volume as well as the Messages Log Reference guides.

 

Also, I would take a look at whatever machine owns IP 172.24.1.44 as it seems all these teardrop attacks are sourcing from that host. To prevent the attacks you may need to disable that machine or perhaps set up an ACL on your upstream router for that IP to prevent the ISG from receiving such traffic.

 

-Richard 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.