Configuring Teardrop Attack Defense
After obtaining IP packets, the attacker sets offset fields to incorrect values. Therefore, after receiving disassembled packets, the receiver cannot correctly assemble the disassembled packets according to offset fields in the packets. In this case, the receiver attempts to assemble the IP packets continuously, which results in the OS crash for resource exhaustion.
Context
After fragment forwarding function is enabled, the device directly forwards fragment packets without processing them. In this case, Teardrop attack defense cannot be performed.
To meet the requirement of the Maximum Transmission Unit (MTU) of the link layer, certain large IP packets need to be disassembled before transmission. Each IP packet header contains an offset field and a disassembly flag. The offset field specifies the position of the field in the IP packet. If an attacker snatches an IP packet and changes the value of the offset field, after receiving the fragment data packets, the receiver cannot correctly reassemble the packets according to the offset fields in the packets. In this case, the receiver continuously tries to reassemble the packets, and the resources of the operating system is exhausted and the operating system crashes.
To defend against this type of attacks, the received fragment packets need to be analyzed to check whether the offset values are incorrect. If yes, the fragment packets need to be discarded and attacks need to be logged.
Teardrop attack defense must be disabled in the following scenarios:
The GRE tunnel traverses the FW or the FW acts as one end of the GRE tunnel.
If GRE packets are fragmented on the network, fragments may meet Teardrop attack conditions and thereby are discarded. As a result, services become abnormal.