[ScreenOS] Different teardrop attack messages in the Event log

  [KB23454] Show Article Properties


Summary:
This article describes the issue of different teardrop attack messages being generated in the Event log.
Symptoms:
The device is generating teardrop logs in two different formats:
 
2012-03-09 17:51:55 system emer 00006 Teardrop attack! From 192.168.1.100 to 192.168.1.10, proto 6 (zone Untrust, int ethernet3/1). Occurred 1 times.

2011-05-31 13:49:06 emer Teardrop attack! From 192.168.1.100:33620 to 192.168.1.10:80, proto TCP (zone Untrust, int ethernet0/0). Occurred 1 times.

The port information is not shown in the first format and additionally, the protocol is shown as 6 instead of TCP.

 
Solution:
Both of the messages are by design and there are two possible teardrop attack log formats:


If the protocol is TCP/UDP and at least one of the source port and destination port is non-zero, then the following log is generated:

2011-05-31 13:49:06 emer Teardrop attack! From 192.168.1.100:33620 to 192.168.1.10:80, proto TCP (zone Untrust, int ethernet0/0). Occurred 1 times.


If the protocol is not TCP/UDP, or the protocol is TCP/UDP but both the source port and destination port are zero, then the following log is generated:
2012-03-09 17:51:55 system emer 00006 Teardrop attack! From 192.168.1.100 to 192.168.1.10, proto 6 (zone Untrust,int ethernet3/1). Occurred 1 times.
Modification History:
2019-08-27: Article reviewed for accuracy.  No changes.
Related Links: