Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Teardrop Attack - What is it?


Ensuring all-around IT system and application security demands a deeper understanding of most of the risks. Teardrop attack is a famous DDoS attack type causing damage beyond explanation if ignored. It is giving sleepless nights to more than 61% of IT security experts.

Teardrop Attack - What is it?

The definition and Why is it known by its current name

To begin with, the simplest teardrop attack definition is an attack wherein a minute fraction of corrupted code Is introduced in the aimed software/application/system. In a customary DDoS attack, a huge amount of request/traffic is forwarded to the targeted system to make it inaccessible for authorized users. The aim of the teardrop attack is the same. But, the insertion of malicious code or requests is slow and continuous.

Mostly, it’s used to destroy old or outdated computer systems. These systems have slow processing and cannot congregate the corrupted packets as their IP/TCP fragments are buggy. Over time, the intended system becomes overwhelmed with these bugs and crashes. 

As the attack involves IP/TCP fragments, it’s also a part of the IP Fragmentation Attack.

Now, let’s understand how it got its name, i.e., ‘teardrop attack’. The buggy code used in the attack is very small and fragmented. It’s a small section of a huge part and is inserted slowly. A teardrop is almost the same as this. It’s a small part of the endless tears that humans can produce in a lifetime. A teardrop, when it comes alone, won’t make any difference. But, when it comes in huge quantities it means an emotional breakdown. 

Teardrop Attack in action

Every system is designed to process only a small set of information at a time. Because of this, the network breaks the traffic into small fragments, and each fragment has a number assigned to it in the fragment offset field. Once all the fragments are received, they are arranged to generate the message that was bound to be delivered as per the fragment offset field value. 

In an IP teardrop attack, a hacker introduces a bug in the fragment offset field and makes fragment sequencing impossible. Without sequencing/rearrangement, corrupted fragment offset fields start accumulating in the system and crash with time. 

Teardrop attack example

The importance of Teardrop attacks

Legacy systems, receiving no support from the vendor, will completely crash down on facing a teardrop attack. The most common teardrop attack example is the attack that happened on The Office of Personnel Management (OPM) in 2014. As a result of the attack, millions of US government employee records went under the control of a Chinese hacker. As the systems were too old, data could be encrypted.

The main victims of this attack are

Teardrop attacks are capable of harming only the legacy systems and such systems are spotted at places like hospitals, government offices/agencies, banks, and financial institutes. In a survey, it was revealed that around 56% of hospitals and health care professionals are using outdated OS-based computers. Hence, they are prime victims of this attack.

Mitigating and preventing a Teardrop attack

As per recent research, around 30% of organizations are still using computers/laptops running on old OS like Windows 3.1x, Windows NT, and so on. All these systems are prone to teardrop attacks. Hence, effective and viable teardrop mitigation actions should be in place. 

One of the most viable teardrop attack preventions is disabling 139 and 445 ports for blocking server messages in systems that aren’t receiving the patches from the vendors. 

Using a firewall in the network layer is imperative as it filters the data and reduces the odds of a teardrop DDoS attack. 

One can avoid teardrop exploits with a caching server as it ensures the continuous availability of the website even when a DDoS attack has happened. With proxy servers, it’s easy to watch out for the incoming traffic and spot the data fragments in the early stages.

How can Wallarm help?

Wallarm, being a leader in the AppSec industry, offers viable tools to mitigate and prevent teardrop attacks. Its tech-infused Cloud WAF can protect a website from all sorts of data fragments. With zero false-positive rates and automated lib detection, this tool is going to keep teardrop and various other OWASP Top 10 threats away from you.



Subscribe for the latest news

February 26, 2024
Learning Objectives
Subscribe for
the latest news
Related Topics