F5 GLOSSARY

What is a Teardrop Attack?

 

In a denial-of-service (DoS) teardrop attack, a client sends a malformed information packet to a machine and exploits the error that occurs when the packet is reassembled resulting in degraded server performance.

What is a teardrop attack?

A teardrop attack is a type of denial-of-service (DoS) attack (an attack that attempts to make a computer resource unavailable by flooding a network or server with requests and data.) The attacker sends fragmented packets to the target server, and in some cases where there’s a TCP/IP vulnerability, the server is unable to reassemble the packet, causing overload. 

How does a teardrop attack work?

TCP/IP implementations differ slightly from platform to platform. Some operating systems—especially older versions of Windows and Linux— contain a TCP/IP fragmentation reassembly bug. Teardrop attacks are designed to exploit this weakness.

In a teardrop attack, the client sends an intentionally fragmented information packet to a target device. Since the packets overlap, an error occurs when the device tries to reassemble the packet. The attack takes advantage of that error to cause a fatal crash in the operating system or application that handles the packet.

Why are teardrop attacks important?

Many organizations still rely on older, obsolete, or unpatched operating systems to run legacy applications that they still need. Such organizations are vulnerable to teardrop attacks that threaten to take down mission-critical applications.

How does F5 handle teardrop attacks?

By default, F5’s BIG-IP Application Delivery Services protect against teardrop attacks by checking incoming packets’ frame alignment and discarding improperly formatted packets. Teardrop packets are therefore dropped, and the attack is prevented before the packets can pass into the protected network.


< Return to the glossary

 

RELATED RESOURCES

What is a Distributed Denial-of-Service Attack?

DDoS Protection

Concept of F5 Device DoS and DoS Profiles