OS-specific DoS attacks such as teardrop attacks can cripple a system with minimum effort.
Before You Begin |
---|
For background information, read OS-Specific DoS Attacks Overview. |
Teardrop attacks exploit the reassembly of fragmented IP packets. In the IP header, one of the fields is the fragment offset field, which indicates the starting position, or offset, of the data contained in a fragmented packet relative to the data of the original unfragmented packet. See Figure 152.
Figure 152: Teardrop Attacks
When the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap, and the server attempting to reassemble the packet can crash, especially if it is running an older operating system that has this vulnerability. See Figure 153.
Figure 153: Fragment Discrepancy
After you enable the teardrop attack screen option, whenever JUNOS Software detects this discrepancy in a fragmented packet, it drops it.