What is a Tear Drop Attack?

In a denial-of-service (DoS) teardrop attack, a client sends a malformed information packet to a machine and exploits the error that occurs when the packet is reassembled resulting in degraded server performance.

A teardrop attack is a type of denial-of-service (DoS) attack (an attack that attempts to make a computer resource unavailable by flooding a network or server with requests and data.) The attacker sends fragmented packets to the target server, and in some cases where there’s a TCP/IP vulnerability, the server is unable to reassemble the packet, causing overload.

Many organizations still rely on older, obsolete, or unpatched operating systems to run legacy applications that they still need. Such organizations are vulnerable to teardrop attacks that threaten to take down mission-critical applications.

TCP/IP implementations differ slightly from platform to platform. Some operating systems—especially older versions of Windows and Linux— contain a TCP/IP fragmentation reassembly bug. Teardrop attacks are designed to exploit this weakness. In a teardrop attack, the client sends an intentionally fragmented information packet to a target device. Since the packets overlap, an error occurs when the device tries to reassemble the packet. The attack takes advantage of that error to cause a fatal crash in the operating system or application that handles the packet.

By default, F5’s BIG-IP Application Delivery Services protect against teardrop attacks by checking incoming packets’ frame alignment and discarding improperly formatted packets. Teardrop packets are therefore dropped, and the attack is prevented before the packets can pass into the protected network.