I have a NSA 4650 deployed which recently has been subject to a series of Nestea attacks. Can someone provide some direction on the best and most effective way to mitigate these kinds of attacks?
I presume you are receiving logs on the SonicWall as "Nestea/Teardrop attack dropped". This type of attack is old and SonicWall has the ability to block it. Please ensure all security services including flood protections and port scan are enabled on the firewall. If you have any inbound rules set to allowed, please ensure there are specifically aligned based on Source IP or Services. Apart from these, you could change the default access rule on the SonicWall from DENY to DISCARD. With Deny, sonicwall sends out a RST reply back to the client that initiates the connection. With DISCARD, sonicwall will just drop it and will not respond back. With Discard, the attacker might not get a response back from firewall and may stop the attack thinking that nothing is present on the attacking IP address.
Answers
Is it the firewall that has been subjected to it, or a device behind it?
Do you have proof this has caused an issue or are you just reading the logs?
See above. Nestea is a type of DoS that is quite old, but I suppose someone could still be trying to use it.
Hi @T_WHITE,
Thank you for visiting SonicWall Community.
I presume you are receiving logs on the SonicWall as "Nestea/Teardrop attack dropped". This type of attack is old and SonicWall has the ability to block it. Please ensure all security services including flood protections and port scan are enabled on the firewall. If you have any inbound rules set to allowed, please ensure there are specifically aligned based on Source IP or Services. Apart from these, you could change the default access rule on the SonicWall from DENY to DISCARD. With Deny, sonicwall sends out a RST reply back to the client that initiates the connection. With DISCARD, sonicwall will just drop it and will not respond back. With Discard, the attacker might not get a response back from firewall and may stop the attack thinking that nothing is present on the attacking IP address.
Hope this helps.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services