ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

URGENT: Error Message

12.23.08   |  
‎12-23-2008 11:49 PM

Can anybody help me for the below error i am seeing in Netscreen Firewall ISG 1000.

 

What is the cause ? and how can i prevent?

 

Please help.

 

2008-12-24 02:09:05

emer Teardrop attack! From 172.24.1.44 to 130.200.247.119, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:09:01 emer Teardrop attack! From 172.24.1.44 to 130.200.247.119, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:42 emer Teardrop attack! From 172.24.1.44 to 130.200.247.117, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:40 emer Teardrop attack! From 172.24.1.44 to 130.200.247.117, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:17 emer Teardrop attack! From 172.24.1.44 to 130.200.247.113, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:15 emer Teardrop attack! From 172.24.1.44 to 130.200.247.120, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:14 emer Teardrop attack! From 172.24.1.44 to 130.200.247.113, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:13 emer Teardrop attack! From 172.24.1.44 to 130.200.247.19, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:12 emer Teardrop attack! From 172.24.1.44 to 130.200.247.120, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times. 2008-12-24 02:08:10 emer Teardrop attack! From 172.24.1.44 to 130.200.247.19, proto 1 (zone Untrust, int ethernet1/1). Occurred 1 times.
5 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: URGENT: Error Message

12.24.08   |  
‎12-24-2008 01:14 AM

Hi,

 

First and most obviouse is this is probably a Tear Drop Attack which uses overlapping IP fragments to crash vulnerable machines. What you are seeing is an alarm so do: get alarm eve

 

You can also use: get zone <zone name> attack command an view the counters.

 

To block access use screens to block:

 

set zone untrust screen tear-drop

 

Yo may also want to do this for other common attacks like land and winnuke.

 

Regards

 

Gavrilo

ScreenOS Firewalls (NOT SRX)

Re: URGENT: Error Message

12.24.08   |  
‎12-24-2008 01:16 AM

I have Netscreen ISG 1000 where i dont have zones and Vsys..

 

in this case what i have configure to stop from these attacks?

ScreenOS Firewalls (NOT SRX)

Re: URGENT: Error Message

12.24.08   |  
‎12-24-2008 02:23 AM

Your alarm says  (zone Untrust, int ethernet1/1) so you presumably have a Trust and Untrust zone and who said anything abaout VSys?

 

Do either of the following, where the specified zone is were the attack originates:

 

WebUI

Screening > Screen (Zone: select a zone name): Select Teardrop Attack Protection, then click Apply. 

 

CLI 

set zone zone screen tear-drop

 

Regards

 

Gavrilo

ScreenOS Firewalls (NOT SRX)

Re: URGENT: Error Message

12.24.08   |  
‎12-24-2008 03:36 AM

Hello Gaurav Sometimes such alarms can be generated by genuine traffic (False Positives), have you traced the source/destination IPs to know more about the traffic flow? Packet analysis using a packet sniffer can also be helpful.

 

Regards

 

Farrukh 

ScreenOS Firewalls (NOT SRX)

Re: URGENT: Error Message

12.26.08   |  
‎12-26-2008 04:08 PM

I would suggest looking over Concepts & Examples Guides. Refer to the ScreenOS version that you are currently running on your ISG. In particular, look at the Attack Detection and Prevention volume as well as the Messages Log Reference guides.

 

Also, I would take a look at whatever machine owns IP 172.24.1.44 as it seems all these teardrop attacks are sourcing from that host. To prevent the attacks you may need to disable that machine or perhaps set up an ACL on your upstream router for that IP to prevent the ISG from receiving such traffic.

 

-Richard