[OpenAFS] teardrop attack

Jeffrey Altman jaltman@secure-endpoints.com
Thu, 08 Oct 2009 14:07:02 -0400

David R Boldt wrote:
>> I'm a bit puzzled.  Quoting Wikipedia "A Teardrop attack involves
>> sending mangled IP fragments with overlapping, over-sized payloads to
>> the target machine."  The goal is to trip bugs in the operating system's
>> IP fragment re-assembly code that can cause the machine to crash.
>> The vulnerable Windows versions are Windows 3.1, Windows 95, and NT4,
>> and Linux kernels older than 2.0.32 and 2.1.63.
>> Is the client machine configured to send jumbograms?
> Trying to collect that information now, waiting on user response.
> 90% of our users are on Windows XP, 5% Mac.
> This particular user would be unlikely to
> customize settings.

Then jumbograms would be off.

>> Is there some other reason that packets are being fragmented?
> Don't know yet if this could be a factor but the user was
> connecting through a Juniper VPN.  Will dig deeper.

IPSec VPNs often results in packet fragmentation unless the
RxMaxMTU is artificially restricted to a value less than 1272.

Jeffrey Altman