Recently one of our data site managers reported that
a "teardrop attack" had occurred against one of our
AFS file servers, as been reported by the firewall,
and wanted us to check to make sure that nothing had
been compromised on the server.
About two years ago one of our offices had the peculiar
issue of not being able to copy large files into AFS
("large" not being well-defined). After much debugging
we discovered that the local office firewall was seeing
sustained AFS traffic as a teardrop attack, and would
then automatically block the connection. The file
copy would time out, and the firewall seeing a reduced
level of traffic would decide that the attack had ended
and would reopen the connection. Copying small files did
not trigger a firewall response.
Armed with this experience we quickly confirmed that in
fact the teardrop attack was simply an AFS user. In this
case the firewall equipment is a Juniper ISG2000. We have
been told that there is no tuning available for teardrop
attack filtering, it is either enabled or disabled for
the entire network.
Just wanted to report this in case somebody else
bumps into a similar issue.
-- David Boldt
<[email protected]>
"People who get nostalgic about childhood were obviously never
children."
--Bill Watterson (Calvin and Hobbes)
