Description of Teardrop

This DoS attack affects Windows 3.1, 95 and NT machines. It also affects Linux versions previous to 2.0.32 and 2.1.63.

Teardrop is a program that sends IP fragments to a machine connected to the Internet or a network. Teardrop exploits an overlapping IP fragment bug present in Windows 95, Windows NT and Windows 3.1 machines. The bug causes the TCP/IP fragmentation re-assembly code to improperly handle overlapping IP fragments. This attack has not been shown to cause any significant damage to systems, and a simple reboot is the preferred remedy. It should be noted, though, that while this attack is considered to be non-destructive, it could cause problems if there is unsaved data in open applications at the time that the machine is attacked. The primary problem with this is a loss of data.

Symptoms of Attack

When a Teardrop attack is run against a machine, it will crash (on Windows machines, a user will likely experience the Blue Screen of Death), or reboot. If you have protected yourself from the winnuke and ssping DoS attacks and you still crash, then the mode of attack is probably teardrop or land. If you are using IRC, and your machine becomes disconnected from the network or Internet, but does not crash, the mode of attack is probably click.

How can I fix this vulnerability?

If you are experiencing teardrop attacks on a Windows based system, visit Windows Central's teardrop page, or EFnet's DoS Information Page to learn how to defend against this attack. If you are experiencing attacks on a Linux based system, upgrade to version 2.0.32 / 2.1.63 or later.

Where can I read more about this?

The Teardrop attack is fairly well documented. Rootshell's Teardrop page provides detailed technical specifications for the Teardrop program, as well as the source code. For a general overview of both the Teardrop and land DoS attacks, read CERT Advisory 97.28. Other very good sources for information on Teardrop, and other DoS attacks, include Ozemail's DoS Site, IRChelp's DoS Site and CERT's Advisory Site. In addition to the links listed above, a simple search of the Web, using Infoseek or Yahoo, should reveal a wealth of information on the Teardrop attack.