Description of Teardrop
This DoS attack affects Windows 3.1, 95 and NT machines. It
also affects Linux versions previous to 2.0.32 and 2.1.63.
Teardrop is a program that sends IP fragments to a machine connected to the
Internet or a network. Teardrop exploits an overlapping IP fragment bug
present in Windows 95, Windows NT and Windows 3.1 machines. The bug causes
the TCP/IP fragmentation re-assembly code to improperly handle
overlapping IP fragments. This attack has not been shown to cause any significant
damage to systems, and a simple reboot is the preferred remedy. It should be noted,
though, that while this attack is considered to be non-destructive, it could cause
problems if there is unsaved data in open applications at the time that the machine is
attacked. The primary problem with this is a loss of data.
Symptoms of Attack
When a Teardrop attack is run against a machine, it will
crash (on Windows machines, a user will likely experience the Blue Screen of Death),
or reboot. If you have protected yourself from the
ssping DoS attacks and you still crash, then
the mode of attack is probably teardrop or
land. If you are using IRC, and your machine
becomes disconnected from the network or Internet, but does
not crash, the mode of attack is probably
How can I fix this vulnerability?
If you are experiencing teardrop attacks on a Windows based system,
visit Windows Central's
teardrop page, or EFnet's DoS Information Page
to learn how to defend against this attack. If you are experiencing
attacks on a Linux based system, upgrade to version 2.0.32 / 2.1.63 or later.
Where can I read more about this?
The Teardrop attack is fairly well documented. Rootshell's
Teardrop page provides detailed technical specifications for the Teardrop program,
as well as the source code. For a general overview of both the Teardrop and
land DoS attacks, read
CERT Advisory 97.28. Other very good sources for information on Teardrop, and
other DoS attacks, include Ozemail's DoS Site,
IRChelp's DoS Site and
CERT's Advisory Site. In addition to the links listed above, a simple search of the Web,
using Infoseek or Yahoo, should reveal a wealth of information on the Teardrop attack.