[OpenAFS] teardrop attack

David R Boldt dboldt@usgs.gov
Thu, 8 Oct 2009 13:55:37 -0400 

This is a multipart message in MIME format.
--=_alternative 00627A5E85257649_=
Content-Type: text/plain; charset="US-ASCII"

> I'm a bit puzzled.  Quoting Wikipedia "A Teardrop attack involves
> sending mangled IP fragments with overlapping, over-sized payloads to
> the target machine."  The goal is to trip bugs in the operating system's
> IP fragment re-assembly code that can cause the machine to crash.
> 
> The vulnerable Windows versions are Windows 3.1, Windows 95, and NT4,
> and Linux kernels older than 2.0.32 and 2.1.63.
> 
> Is the client machine configured to send jumbograms?

Trying to collect that information now, waiting on user response.
90% of our users are on Windows XP, 5% Mac.
This particular user would be unlikely to 
customize settings.

> Is there some other reason that packets are being fragmented?

Don't know yet if this could be a factor but the user was 
connecting through a Juniper VPN.  Will dig deeper.

> Given that the machines that are vulnerable to the attack
> are so old, is there still a reason to turn on this protection
> in the firewall?

I was unaware of the target of teardrop attacks; It sounds like 
an unnecessary filtering.  Will make that pitch to the firewall
folks.


--david
--=_alternative 00627A5E85257649_=
Content-Type: text/html; charset="US-ASCII"


<br><tt><font size=2>&gt; I'm a bit puzzled. &nbsp;Quoting Wikipedia &quot;A
Teardrop attack involves<br>
&gt; sending mangled IP fragments with overlapping, over-sized payloads
to<br>
&gt; the target machine.&quot; &nbsp;The goal is to trip bugs in the operating
system's<br>
&gt; IP fragment re-assembly code that can cause the machine to crash.<br>
&gt; <br>
&gt; The vulnerable Windows versions are Windows 3.1, Windows 95, and NT4,<br>
&gt; and Linux kernels older than 2.0.32 and 2.1.63.<br>
&gt; <br>
&gt; Is the client machine configured to send jumbograms?<br>
</font></tt>
<br><tt><font size=2>Trying to collect that information now, waiting on
user response.</font></tt>
<br><tt><font size=2>90% of our users are on Windows XP, 5% Mac.</font></tt>
<br><tt><font size=2>This particular user would be unlikely to </font></tt>
<br><tt><font size=2>customize settings.</font></tt>
<br><tt><font size=2><br>
&gt; Is there some other reason that packets are being fragmented?<br>
</font></tt>
<br><tt><font size=2>Don't know yet if this could be a factor but the user
was </font></tt>
<br><tt><font size=2>connecting through a Juniper VPN. &nbsp;Will dig deeper.</font></tt>
<br><tt><font size=2><br>
&gt; Given that the machines that are vulnerable to the attack<br>
&gt; are so old, is there still a reason to turn on this protection<br>
&gt; in the firewall?<br>
</font></tt>
<br><tt><font size=2>I was unaware of the target of teardrop attacks; It
sounds like </font></tt>
<br><tt><font size=2>an unnecessary filtering. &nbsp;Will make that pitch
to the firewall</font></tt>
<br><tt><font size=2>folks.</font></tt>
<br>
<br>
<br><tt><font size=2>--david</font></tt>
--=_alternative 00627A5E85257649_=--