Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     

    Related Documentation

     

    Configuring IP Teardrop Attack Screen

    This topic describes how to configure detection of an IP teardrop attack.

    Teardrop attacks exploit the reassembly of fragmented IP packets. In the IP header, one of the field is the fragment offset fields, which indicates the starting position, or offset of the data contained in a fragmented packet, relative to the data of the original unfragmented packet. When the sum of the offset and size of one fragmented packet differs from that of the next fragmented packet, the packets overlap and the server attempting to reassemble the packet might crash.

    To enable detection of a teardrop attack:

    1. Configure interfaces and assign IP addresses to the interfaces.
      user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
    2. Configure security zones trustZone and untrustZone and assign interfaces to them.
      user@host# set security zones security-zone trustZone host-inbound-traffic system-services alluser@host# set security zones security-zone trustZone host-inbound-traffic protocols alluser@host# set security zones security-zone trustZone interfaces ge-0/0/1.0user@host# set security zones security-zone untrustZone host-inbound-traffic system-services alluser@host# set security zones security-zone untrustZone host-inbound-traffic protocols alluser@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0user@host# user@host#
    3. Configure security policies from untrustZone to trustZone.
      user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set security policies default-policy deny-all
    4. Configure the security screen option and attach it to the untrustZone.
      user@host# set security screen ids-option untrustScreen ip tear-dropuser@host# set security zones security-zone untrustZone screen untrustScreenuser@host# set security screen ids-option untrustScreen alarm-without-drop
    5. Configure syslog.
      user@host# set system syslog file syslog any anyuser@host# set system syslog file syslog archive size 10000000user@host# set system syslog file syslog explicit-priorityuser@host# set system syslog file syslog structured-datauser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-inituser@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
    6. Commit the configuration.
      user@host# commit
     

    Related Documentation

     

    Modified: 2016-08-01