[OpenAFS] teardrop attack

David R Boldt dboldt@usgs.gov
Thu, 8 Oct 2009 12:00:26 -0400


This is a multipart message in MIME format.
--=_alternative 0057EE7F85257649_=
Content-Type: text/plain; charset="US-ASCII"

Recently one of our data site managers reported that 
a "teardrop attack" had occurred against one of our 
AFS file servers, as been reported by the firewall, 
and wanted us to check to make sure that nothing had 
been compromised on the server.

About two years ago one of our offices had the peculiar 
issue of not being able to copy large files into AFS 
("large" not being well-defined). After much debugging 
we discovered that the local office firewall was seeing 
sustained AFS traffic as a teardrop attack, and would 
then automatically block the connection.  The file 
copy would time out, and the firewall seeing a reduced 
level of traffic would decide that the attack had ended 
and would reopen the connection. Copying small files did
not trigger a firewall response.

Armed with this experience we quickly confirmed that in 
fact the teardrop attack was simply an AFS user. In this
case the firewall equipment is a Juniper ISG2000. We have
been told that there is no tuning available for teardrop 
attack filtering, it is either enabled or disabled for 
the entire network.

Just wanted to report this in case somebody else
bumps into a similar issue.


                     -- David Boldt
                        <dboldt@usgs.gov>


   "People who get nostalgic about childhood were obviously never 
children."
    --Bill Watterson (Calvin and Hobbes)

--=_alternative 0057EE7F85257649_=
Content-Type: text/html; charset="US-ASCII"


<br><tt><font size=2>Recently one of our data site managers reported that
</font></tt>
<br><tt><font size=2>a &quot;teardrop attack&quot; had occurred against
one of our </font></tt>
<br><tt><font size=2>AFS file servers, as been reported by the firewall,
</font></tt>
<br><tt><font size=2>and wanted us to check to make sure that nothing had
</font></tt>
<br><tt><font size=2>been compromised on the server.</font></tt>
<br>
<br><tt><font size=2>About two years ago one of our offices had the peculiar
</font></tt>
<br><tt><font size=2>issue of not being able to copy large files into AFS
</font></tt>
<br><tt><font size=2>(&quot;large&quot; not being well-defined). After
much debugging </font></tt>
<br><tt><font size=2>we discovered that the local office firewall was seeing
</font></tt>
<br><tt><font size=2>sustained AFS traffic as a teardrop attack, and would
</font></tt>
<br><tt><font size=2>then automatically block the connection. &nbsp;The
file </font></tt>
<br><tt><font size=2>copy would time out, and the firewall seeing a reduced
</font></tt>
<br><tt><font size=2>level of traffic would decide that the attack had
ended </font></tt>
<br><tt><font size=2>and would reopen the connection. Copying small files
did</font></tt>
<br><tt><font size=2>not trigger a firewall response.</font></tt>
<br>
<br><tt><font size=2>Armed with this experience we quickly confirmed that
in </font></tt>
<br><tt><font size=2>fact the teardrop attack was simply an AFS user. In
this</font></tt>
<br><tt><font size=2>case the firewall equipment is a Juniper ISG2000.
We have</font></tt>
<br><tt><font size=2>been told that there is no tuning available for teardrop
</font></tt>
<br><tt><font size=2>attack filtering, it is either enabled or disabled
for </font></tt>
<br><tt><font size=2>the entire network.</font></tt>
<br>
<br><tt><font size=2>Just wanted to report this in case somebody else</font></tt>
<br><tt><font size=2>bumps into a similar issue.<br>
</font></tt>
<br><tt><font size=2><br>
 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
-- David Boldt<br>
 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp;&lt;dboldt@usgs.gov&gt;<br>
<br>
<br>
 &nbsp; &quot;People who get nostalgic about childhood were obviously never
children.&quot;<br>
 &nbsp; &nbsp;--Bill Watterson (Calvin and Hobbes)<br>
</font></tt>
--=_alternative 0057EE7F85257649_=--