Skip to main content

What is a Teardrop attack, and how to prevent them

A DDoS teardrop attack in progress.

A teardrop attack is a type of Denial-of-Service (DoS) attack that uses fragmented packets of data to flood a victim’s server or network. As the server is unable to reassemble the packets, this causes an overload and a consequent shutdown of the system.

Teardrop attacks usually target servers that have an existing TCP/IP vulnerability. Ultimately, they exploit how IP packets are fragmented and reassembled to evade traditional security controls on a local server or a network. Given that many organizations often run unpatched or outdated systems software, teardrop attacks are well-placed to exploit these vulnerabilities. As a result, teardrop attacks are more common in local governments, hospitals and small banks, especially those who use very old operating systems (such as Windows 95 or older).

This guide explores teardrop attacks in detail, including what they are, how they work and how to defend against them, so that you can minimize your risk of falling victim to them – or similar attacks – in the future.

Where have Teardrop attacks come from?

Imagine you're going about your day, working from home (or in the office), minding your own business and then, suddenly, your local machine shuts down without warning. Or perhaps your local network is cut off across your office space and you're unable to access any of the local data that you need. This is what happens during Denial-of-Service and Distributed Denial-of-Service attacks.

As irritating as they are potentially serious, DDoS cyberattacks are not uncommon in the US. In September 2017, Google (and a large part of its digital infrastructure) was the victim of six months’ worth of these attacks, reaching a size of 2.54 terabits per second. GitHub was a victim in both 2015 and 2018, and even AWS saw an attack in 2020 that reached 2.3 terabits per second.

Unfortunately for the average user today, DDoS and DoS attacks come in a variety of different forms. Since their initial arrival, these attacks have evolved significantly, as with much of the cybersecurity landscape over the last 20 years. One of the most difficult to catch is arguably the teardrop attack. Named for its incremental approach, a successful teardrop attack could leave your computer (or the system that it’s connected to) completely wiped out and unresponsive if you’re not careful.

How Does a Teardrop Attack Work?

The average digital system is built to handle a certain amount of data coming in all at the same time. As a result, data, or network traffic, is often broken down into smaller pieces and then tagged with a specific number in something known as the fragment offset field. Re-arranging them in the correct order once they arrive is the usual state of affairs when there is no attack.

However, during a teardrop attack, the cybercriminal injects a flaw into the fragment offset field, which disrupts the resequencing process. As a result, your system gathers a large collection of corrupt fragmented data that can’t be properly reassembled. Unfortunately, your system simply overloads and crashes without (adequate) warning.

Examples of Teardrop attacks

Over the years, there have been several notable attacks on large systems that many people in the cybersecurity industry might be familiar with. These include (and are by no means limited to):

  • Windows NT and 95: teardrop attacks first had a major impact across Windows 3.1x, NT and 95 in the late 1990s, driving Microsoft to release a patch to close off the vulnerability in response to many cases of system failure.
  • Home systems: these types of attacks were frequent on both legacy Windows and Linux systems, mainly found in Windows 95 and Linux kernels prior to 2.1.63.
  • Android/Rowhammer: an attack similar in nature to a teardrop attack known as RAMpage threatened every Android device released between 2012 and 2018.

Teardrop Attack prevention

There are several different ways to prevent a teardrop attack on your network or local system. The below cybersecurity advice will work for a number of different digital threats and malware, not just teardrop attacks.

Update Your OS

First of all, we recommend updating all of your software and your operating system and making sure to download all of the available security patches from the relevant developers. As previously explained, system vulnerabilities are the usual entry vector for teardrop attacks, so this is an easy way to protect your local machine and broader network.

Port blocking

If you’re unable to patch your old software or mission-critical applications, one of the best ways to prevent teardrop attacks is by disabling ports 139 and 445. By doing this, you’ll be blocking any potentially dangerous server messages in the systems that weren’t able to receive the security updates from their vendors.

Activate your firewall

One of the simplest ways to prevent a teardrop attack (and to protect your local machine in general) is to make sure you have a reputable and comprehensive firewall or cybersecurity solution installed on your machine or network. We recommend using our dedicated security software Kaspersky Premium, which can offer you an unbreakable firewall, regular updates, and consistent help and support.

FAQs

What is a Teardrop Attack?

A teardrop attack is a Denial-of-Service (DOS) attack that floods a user's system with flawed, fragmented data packets until the system (or network) crashes and shuts down. Sometimes known as Teardrop DDoS attacks, Teardrop attacks usually target servers that have an existing TCP/IP vulnerability and legacy software.

Recommended Articles and Links:

Recommended products:

What is a Teardrop attack, and how to prevent them

Some Denial-of-Service (DOS) attacks can be worse than others with teardrop attacks as potentially the worst. Find out what they are and how to prevent them.
Kaspersky logo

Featured posts