[OpenAFS] teardrop attack

David R Boldt dboldt@usgs.gov
Wed, 14 Oct 2009 18:47:07 -0400


This is a multipart message in MIME format.
--=_alternative 007D2A298525764F_=
Content-Type: text/plain; charset="US-ASCII"

> >> Is there some other reason that packets are being fragmented?
> > 
> > Don't know yet if this could be a factor but the user was
> > connecting through a Juniper VPN.  Will dig deeper.
> 
> IPSec VPNs often results in packet fragmentation unless the
> RxMaxMTU is artificially restricted to a value less than 1272.

This has turned out to be the case. VPN software was causing
packet fragmentation. Using RxMaxMTU registry setting of 
appropriate size prevented the fragmentation and subsequent
teardrop attack signature from the firewalls.

--David Boldt

--=_alternative 007D2A298525764F_=
Content-Type: text/html; charset="US-ASCII"


<br><tt><font size=2>&gt; &gt;&gt; Is there some other reason that packets
are being fragmented?<br>
&gt; &gt; <br>
&gt; &gt; Don't know yet if this could be a factor but the user was<br>
&gt; &gt; connecting through a Juniper VPN. &nbsp;Will dig deeper.<br>
&gt; <br>
&gt; IPSec VPNs often results in packet fragmentation unless the<br>
&gt; RxMaxMTU is artificially restricted to a value less than 1272.<br>
</font></tt>
<br><tt><font size=2>This has turned out to be the case. VPN software was
causing</font></tt>
<br><tt><font size=2>packet fragmentation. Using RxMaxMTU registry setting
of </font></tt>
<br><tt><font size=2>appropriate size prevented the fragmentation and subsequent</font></tt>
<br><tt><font size=2>teardrop attack signature from the firewalls.</font></tt>
<br>
<br><tt><font size=2>--David Boldt</font></tt>
<br>
--=_alternative 007D2A298525764F_=--