What is a Teardrop attack, and how to prevent them

A teardrop attack is a type of Denial-of-Service (DoS) attack that uses fragmented packets of data to flood a victim’s server or network. As the server is unable to reassemble the packets, this causes an overload and a consequent shutdown of the system.

Teardrop attacks usually target servers that have an existing TCP/IP vulnerability. Ultimately, they exploit how IP packets are fragmented and reassembled to evade traditional security controls on a local server or a network. Given that many organizations often run unpatched or outdated systems software, teardrop attacks are well-placed to exploit these vulnerabilities. As a result, teardrop attacks are more common in local governments, hospitals and small banks, especially those who use very old operating systems (such as Windows 95 or older).

This guide explores teardrop attacks in detail, including what they are, how they work and how to defend against them, so that you can minimize your risk of falling victim to them – or similar attacks – in the future.

Where have Teardrop attacks come from?

Imagine you're going about your day, working from home (or in the office), minding your own business and then, suddenly, your local machine shuts down without warning. Or perhaps your local network is cut off across your office space and you're unable to access any of the local data that you need. This is what happens during Denial-of-Service and Distributed Denial-of-Service attacks.

As irritating as they are potentially serious, DDoS cyberattacks are not uncommon in the US. In September 2017, Google (and a large part of its digital infrastructure) was the victim of six months’ worth of these attacks, reaching a size of 2.54 terabits per second. GitHub was a victim in both 2015 and 2018, and even AWS saw an attack in 2020 that reached 2.3 terabits per second.

Unfortunately for the average user today, DDoS and DoS attacks come in a variety of different forms. Since their initial arrival, these attacks have evolved significantly, as with much of the cybersecurity landscape over the last 20 years. One of the most difficult to catch is arguably the teardrop attack. Named for its incremental approach, a successful teardrop attack could leave your computer (or the system that it’s connected to) completely wiped out and unresponsive if you’re not careful.

How Does a Teardrop Attack Work?

The average digital system is built to handle a certain amount of data coming in all at the same time. As a result, data, or network traffic, is often broken down into smaller pieces and then tagged with a specific number in something known as the fragment offset field. Re-arranging them in the correct order once they arrive is the usual state of affairs when there is no attack.

However, during a teardrop attack, the cybercriminal injects a flaw into the fragment offset field, which disrupts the resequencing process. As a result, your system gathers a large collection of corrupt fragmented data that can’t be properly reassembled. Unfortunately, your system simply overloads and crashes without (adequate) warning.