OS-specific DoS attacks such as teardrop attacks can cripple a system with minimum effort.
|
Before You Begin |
|---|
|
For background information, read OS-Specific DoS Attacks Overview. |
Teardrop attacks exploit the reassembly of fragmented IP packets. In the IP header, one of the fields is the fragment offset field, which indicates the starting position, or offset, of the data contained in a fragmented packet relative to the data of the original unfragmented packet. See Figure 54.
Figure 54: Teardrop Attacks
When the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap, and the server attempting to reassemble the packet can crash, especially if it is running an older operating system that has this vulnerability. See Figure 55.
Figure 55: Fragment Discrepancy
After you enable the teardrop attack SCREEN option, whenever JUNOS software with enhanced services detects this discrepancy in a fragmented packet, it drops it.