> I'm a bit puzzled. Quoting Wikipedia "A Teardrop attack involves > sending mangled IP fragments with overlapping, over-sized payloads to > the target machine." The goal is to trip bugs in the operating system's > IP fragment re-assembly code that can cause the machine to crash. > > The vulnerable Windows versions are Windows 3.1, Windows 95, and NT4, > and Linux kernels older than 2.0.32 and 2.1.63. > > Is the client machine configured to send jumbograms?
Trying to collect that information now, waiting on user response. 90% of our users are on Windows XP, 5% Mac. This particular user would be unlikely to customize settings. > Is there some other reason that packets are being fragmented? Don't know yet if this could be a factor but the user was connecting through a Juniper VPN. Will dig deeper. > Given that the machines that are vulnerable to the attack > are so old, is there still a reason to turn on this protection > in the firewall? I was unaware of the target of teardrop attacks; It sounds like an unnecessary filtering. Will make that pitch to the firewall folks. --david
