What is a Teardrop DDoS Attack?

Introduction

A single teardrop can seem insignificant on its own, but a flood of tears is a clear indicator of serious distress. The same can be said for a teardrop distributed-denial-of-service (DDoS) attack.

A teardrop DDoS attack starts by taking advantage of a small bug in the code of older operating systems to deliberately manipulate how data is transmitted. While this may sound innocuous, when a targeted system is flooded with manipulated data, the pain to the organization can be devastating.

Updating systems and network devices to newer operating system versions fixes the problem so that organizations are no longer vulnerable to such attacks. However, that can be easier said than done for organizations with resource constraints that prevent them from being able to update legacy applications they still need, or if an older device is still connected to the network without their knowledge.

In this blog, we’ll dig into how teardrop attacks unfold and the impact this type of DDoS attack can have on organizations. We’ll also offer guidance on how to detect and protect against this cyber threat.

How Teardrop Attacks Work

Most systems have a limit on how much data they can transmit in a single packet. When large amounts of data must be transferred and exceed the Maximum Transmission Unit (MTU), the data undergoes the following process:  

Fragmentation. The device sending the data breaks the data packet into smaller, distinct fragments.

Transmission. The fragments include a header to show the order for reassembly and are sent to the receiver.

Reassembly. The receiving device waits for all the fragments to arrive and then reassembles them.

Teardrop DDoS attacks are a type of fragmentation attack where a threat actor takes advantage of a bug in the TCP/IP fragmentation reassembly code to manipulate the fragmentation process and create a slight overlap in the packets before they are sent. The overlap prevents the receiving device from being able to verify the order and reassemble the packets. When a lot of overlapping packets are sent, the server becomes overloaded.

The Impact of Teardrop Attacks

A teardrop attack is designed to confuse the system or server so that it can’t complete the reassembly process. The receiving device pauses for some time as it waits for a data packet that doesn’t contain an overlap. Packets start to mount, server performance suffers, and the device eventually crashes – bringing down the network and disrupting business as usual.

Employees and customers can’t access the resources they need, which results in lost productivity and revenue. Ultimately, the impact on an organization can include operational costs to mitigate and deal with the aftermath of an attack, as well as reputational damage.

Detecting Teardrop Attacks

Older Windows and Linux operating systems contain the bug that makes them particularly susceptible to teardrop DDoS attacks. The following signs can help organizations detect these attacks so that they can take steps to protect network integrity and prevent service disruptions.

System Instability

Teardrop attacks can cause target systems to become unstable, leading to unresponsiveness or crashes. If computers frequently crash or freeze, or applications or services start to behave strangely, these could be signs of a teardrop attack.

Network Degradation or Outages

Teardrop attacks can congest the network and slow down performance with a flood of improperly fragmented packets. Legitimate users have trouble accessing network resources and become frustrated. Ultimately, if a network outage occurs, services or applications are completely unavailable.

System Logs and Error Messages

Teardrop attacks create unusual volumes and/or patterns in fragmented packets. System logs can track anomalous activity and trigger error messages which may indicate a teardrop attack.

Mitigating and Preventing Teardrop Attacks

Fortunately, current operating systems, devices, and networks don’t contain the reassembly bug that threat actors exploit to launch teardrop attacks. However, organizations that still use older versions of systems and servers remain vulnerable.

There are several best practices and tools security teams can use to mitigate and prevent teardrop attacks.

Tools and Techniques for Identification

• Use packet inspection tools to analyze traffic for anomalous activity and send alerts when needed.
• Configure intrusion detection systems (IDS) to recognize teardrop attacks and block and/or alert teams to them.
• Deploy network monitoring tools to understand baseline traffic patterns and continuously monitor for anomalous behavior that could indicate a teardrop attack.

Network Security Measures

• Update older operating systems and network devices since newer versions of Windows and Linux have addressed the vulnerability that teardrop attacks exploit.
• Configure network firewalls to filter and block suspicious packets, including packets that have malformed fragments.
• Set ingress and egress filtering rules to prevent packets with abnormal or conflicting values from entering or leaving the network.
• Adjust the MTU setting on the network to the highest level to reduce the need for fragmentation.

Security Software and Solutions

• Configure intrusion prevention systems (IPS) to recognize teardrop attacks and automatically block them.
• Use anti-malware software to prevent follow-on attacks that can occur if a threat actor uses a teardrop attack as a distraction while they engage in additional malicious activity.
• Conduct security audits and penetration testing to identify vulnerabilities in the network so teams can proactively address them before they are exploited.
• Deploy a proven DDoS protection solution to maintain uninterrupted service availability even in the midst of a DDoS attack, stay ahead of emerging threats, and protect against follow-on threats to the organization.

Conclusion

A teardrop attack is a type of a fragmentation DDoS attack that takes advantage of a vulnerability in older operating systems to prevent them from seamlessly handling packet reassembly. Packets start to mount and then the targeted system crashes, bringing down the network. Employees and customers can’t access the resources they need, which results in lost productivity and revenue.

Fortunately, modern operating systems, devices, and networks don’t have this vulnerability. That said, if devices aren’t up to date, a teardrop attack can negatively impact organizations and legitimate users that rely on the network for services. Teardrop attacks can also be used as a decoy to launch other types of attacks and cause additional damage.

There are several best practices and technologies to mitigate and prevent teardrop attacks, including tools and techniques to detect an attack, and network security and software measures to mitigate.

However, the most effective way to protect against a range of DDoS attacks, including teardrop attacks, is by implementing an advanced DDoS protection solution that provides uninterrupted service availability even in the midst of an attack. When coupled with AI-assisted threat intelligence it continually learns from new data and adapts in real time to keep defenses sharp, and also defends against follow-on attacks. Visit our threat intelligence research center for more information on DDoS defense in depth.