Source: cve@mitre.org
Teardrop IP denial of service.
Teardrop is a classic denial-of-service (DoS) attack that exploits a vulnerability in how some operating systems handle fragmented IP packets. By sending a series of malformed fragmented packets, attackers can cause the target system to crash or become unresponsive, leading to a disruption of service. This vulnerability is particularly dangerous because it can be exploited with relatively simple tools and can have a significant impact on network availability.
Step 1: Packet Fragmentation: The attacker crafts a series of IP packets. These packets are intentionally fragmented into multiple smaller packets.
Step 2: Malformed IP Headers: Within the fragmented packets, the attacker manipulates the IP header fields, specifically the fragment offset and identification fields. The attacker creates overlapping or inconsistent offsets, or the packets are crafted in a way that the reassembly process will fail.
Step 3: Packet Transmission: The attacker sends the malformed fragmented packets to the target system.
Step 4: Reassembly Attempt: The target system receives the fragmented packets and attempts to reassemble them into the original IP packet.
Step 5: Exploitation Trigger: Due to the malformed headers, the reassembly process fails. This can lead to a variety of outcomes, including a system crash, resource exhaustion (CPU, memory), or the system becoming unresponsive.
Teardrop exploits a flaw in the reassembly of fragmented IP packets. The vulnerability stems from incorrect handling of the offset and fragment identification fields within the IP header. Specifically, the attacker crafts fragmented IP packets with overlapping or malformed fragment offsets. When the target system attempts to reassemble these packets, it encounters an error condition, leading to a system crash or resource exhaustion. The root cause is a lack of proper validation of the fragment offset and length fields during packet reassembly, resulting in a buffer overflow or other memory corruption issues. This allows for a denial of service by exhausting system resources.
While not directly associated with specific APTs in recent years due to its age and the prevalence of patches, the simplicity of the exploit makes it a potential tool for any attacker. It could be used as part of a larger DoS campaign. CISA KEV: Not listed.
Network Intrusion Detection Systems (NIDS) can be configured to detect malformed IP fragments, specifically those with overlapping or inconsistent offsets.
Packet capture and analysis tools (e.g., Wireshark, tcpdump) can be used to examine network traffic for suspicious fragmented packets.
Host-based intrusion detection systems (HIDS) may detect system crashes or unusual resource consumption patterns that could be indicative of a Teardrop attack.
Monitoring system logs for errors related to packet reassembly.
Ensure that all systems are running up-to-date operating systems and network stacks, as most modern systems have patched the vulnerability.
Implement network firewalls that can filter malformed IP fragments.
Configure intrusion detection and prevention systems (IDS/IPS) to detect and block Teardrop-style attacks.
Regularly audit network traffic for suspicious packet fragmentation patterns.
Consider implementing rate limiting on network traffic to mitigate the impact of DoS attacks.