Reg. teardrop error in ASA

Unanswered Question
Dec 31st, 2008
User Badges:

Hi


I am getting this error in ASA Firewall


106020: Deny IP teardrop fragment (size = 40, offset = 0)from 192.168.2.112 to 172.16.100.5.Can somebody please help me out in this regard



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pravin Phadte Wed, 12/31/2008 - 02:59
User Badges:
  • Silver, 250 points or more

It is a log and most ignored.


Unless you have the problem with the ip address shown above.


Cisco expains:

Explanation The security appliance discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the security appliance or an Intrusion Detection System.


Recommended Action Contact the remote peer administrator or escalate this issue according to your security policy.



John Blakley Wed, 12/31/2008 - 09:00
User Badges:
  • Purple, 4500 points or more

A teardrop attack is where the packets that are sent to the network are fragmented with overlapping values. When the packet is reassembled, the system can become unstable because the packets overlap.


Not knowing the way that your network is laid out, you can block this IP if you're seeing a lot of it. It possibly could be a bad nic, ip stack, virus, malware, or an actual attack. You'd have to track that system down to determine what's going on with it.


HTH,


John


*please rate if helpful*

Actions

This Discussion