Why are my Macs triggering TEARDROP OR DERIVATIVE attacks to 224.0.0.251?

Question

Level 1

10 points

Why are my Macs triggering TEARDROP OR DERIVATIVE attacks to 224.0.0.251?

Since updating to Yosemite my router is sending security emails every couple of hours saying that "teardrop or derivative DETECTED" from one of our local Macs running Yosemite, targeting multicast address 224.0.0.251, port 5353.

Even when I disable port filtering on my router, I still get these messages. I think my router is factory set to block these types of messages.

The effective result is that my Internet access slows to a halt until I reboot the router.

I read somewhere that this multicast address 224.0.0.251 and port 5353 are related to Bonjour services/iTunes. I wouldn't doubt it if it's also a significant part of the background services to enable handoff.

*note: I'm not a network guy, so I'm just guessing as to the cause. I saw these teardrop messages before Yosemite but not as frequently. I dug deeper only because I'm getting several a day. Thanks if you can offer any solutions for stopping the messages.*

OS X Yosemite (10.10.1), All Macs

Posted on Nov 26, 2014 8:37 AM

Reply

Answer 1

Linc Davis

Level 10

209,739 points

Nov 26, 2014 1:35 PM in response to Code Maestro

Your router settings are interfering with normal network operations.

Reply

Answer 2

greg sahli

Level 7

25,508 points

Nov 26, 2014 2:00 PM in response to Code Maestro

If you want more help, you need to tell us the exact model of the router so we can read the manual, too.

Reply

Answer 3

Code Maestro Author

Level 1

10 points

Nov 26, 2014 3:18 PM in response to greg sahli

I have a Cisco DPC3825 modem/gateway whigh assigns all the DCHP addresses. Then I have a Linksys E4200-v2 set to bridge mode as an additional wireless access point.

The Macs in question are usually connected by the Ethernet cable to the network, one per each of these two routers.

Thanks.

Reply

Answer 4

Code Maestro Author

Level 1

10 points

Nov 26, 2014 3:19 PM in response to Linc Davis

But only after updating to Yosemite. What is Yosemite doing differently to start triggering my router?

Reply

Answer 5

Linc Davis

Level 10

209,739 points

Nov 26, 2014 3:46 PM in response to Code Maestro

I don't know. You'll probably find it much easier to change the router settings than to change Yosemite.

Reply

Answer 6

tmclink

Level 1

35 points

Nov 26, 2014 4:16 PM in response to Code Maestro

Sonic,

The Multicast address you are referencing 224.0.0.251 is part of Bonjour. Bonjour is a Multicast DNS protocol for service discovery and advertisement and is a perfectly normal process. Apple's implementation of Bonjour assumes a link-local multicast address (224.0.0.*) that is not suppose to traverse a router but will still be heard on interfaces that process multicast packets.

Search for multicast DNS or Bonjour on wikipedia to learn more about how these protocols work.

While you may have had Bonjour disabled in prior versions of MacOS, it was likely re-enabled to support the Apple Wireless Direct Link (a wireless adapter sub-interface) which requires the Bonjour protocol to advertise services such as AirDrop and AirPlay.

Since you are receiving Teardrop attack notifications on your router, it is safe to assume that internal interfaces are being monitored. I would suggest disabling the deep packet security inspection for internal ethernet and wireless interfaces (or if possible dismiss or disable just the offending signature for your trusted hosts).

Best Regards

Reply

Answer 7

tmclink

Level 1

35 points

Nov 26, 2014 4:42 PM in response to tmclink

Update:

Unfortunately, the DPC3825 (combo Cable Modem/Router) is fairly basic device in this respect. The service which is generating the errors is called "SPI Firewall" protection, more specifically the "Block Fragmented IP Packets Rule". Your options are basically on or off. That's it.

You generally do want these services on to protect the external interfaces from DDoS attacks. I would recommend reconfiguring your DPC3825 in bridge mode and putting a slightly better router or firewall "in routed mode" between the cable modem and internal network. While it certainly isn't the only choice, the easiest solution might be to go with Apple's Airport Extreme. Or if you desire more configurability many Wireless/Router combos from Linksys(Cisco), Netgear and others offer more granular security configuration.

Best Regards

Reply

Answer 8

Code Maestro Author

Level 1

10 points

Nov 26, 2014 7:30 PM in response to tmclink

Hi tmclink - I already disabled SPI Firewall protection on my router to see if this stopped this specific report. Unfortunately, it didn't. This router/gateway is provided by our ISP. I will contact them to see if they have updated firmware or hardware that would do as you suggested.

Thanks,

-Tony

Reply

Answer 9

tmclink

Level 1

35 points

Nov 27, 2014 8:13 AM in response to Code Maestro

Part of the DOCSIS standard (used by cable modem services and device manufacturers) includes the ability for service providers to force certain settings as part of the profile applied when the device registers. This might be happening with your device. This is why I like to separate the router from the cable modem. If a firmware update doesn't resolve the problem, your cable service provider should honor the request to reconfigure the device in bridge mode. Before you ask them to do so, you should have your new router ready to go.

TIP: You can actually run two routers back to back (i.e. DPC3825(Cable Modem/Router) <-> New Router <-> Internal Hosts) with both routers in routed mode to allow you to test before asking for the cable modem to be reconfigured in bridge mode. This would effectively isolate the multicast traffic from the DPC3825.

Reply