Teardrop attack explained

The Teardrop attack or TCP fragmentation attack is a type of Denial-of-Service attack (DoS attack) that has the main goal to make a network, server, or computer inaccessible by sending them large amounts of altered data packets. 

Computer systems that are a bit older have a bug within the code used for handling large amounts of data. That weak spot is the perfect opportunity for initiating the Teardrop attack. Usually, the system should collect all bits and put them in the proper order. Yet, that never happens, and the system continues to wait for pieces that never arrive. As a result, the network, server, or device crashes.

You have probably guessed that the main targets of such DoS attacks are exactly the TCP/IP fragmentation codes. They are performed via a methodology that includes overlapping the fragmented packets of the device, server, or network. When the host tries to reconstruct the packets to their correct order, it typically fails, and eventually, the system crashes permanently. Moreover, the conditions get even worse because of the large amounts of load that are sent to the targeted device. Furthermore, as this malicious threat uses TCP/IP fragments, it’s also a part of the IP fragmentation attack.

The cybercriminals that are completing the attack are more commonly choosing the old versions of operating systems (OS). So, let’s say, for instance, older versions of Windows like Windows NT, Windows 3.1x, Windows 95, Windows 7, Windows Vista. Additionally, other targets could be Linux versions former to 2.0.32 and 2.1.63. Due to their sluggish processing speed and flawed TCP/IP fragments, these systems are unable to aggregate tainted packets.

You are probably assuming that such type of threat is a little bit outdated based on the fact that the new operating systems are not the main targets. However, it would be best if you did not underestimate the potential damage the Teardrop attack could cause. Just think about how many counties, large government, and healthcare organizations are using exactly a lot older versions of operating systems. 

What inspired the name of the attack?

Let’s now look at how it got its name, ‘Teardrop attack.’ The attack’s glitchy code is relatively tiny and fragmented. It is entered slowly and is only a small portion of a large part. This resembles a teardrop in practically every way. It just makes up a small portion of all the tears that a person can shed throughout their lifetime. When it comes to solo, a teardrop won’t have any impact. But when it’s plentiful, it can lead to a breakdown in emotions.

How does it work?

The majority of the systems are created in a simple way that does not allow the transfer of massive amounts of information from a different source in just one attempt. For that reason, systems manage to divide the data into fragments and transfer it like that. Then, relying on the rules established in the software, the recipient reassembles it. For specifying how much information they can process at a time, networks set maximum transmission units (MTUs). In the most common scenarios, a network uses a 1,500-byte limit. However, if you send something more extensive than that, then the following is going to happen:

• Fragmented – The device that wants to send the information, or the router that is related to it, divides the data into pieces – fragment datagrams.
• Sent – Each piece is transferred to the target destination containing headers that have the purpose of defining the precise order for reassembly.
• Reassembled – The server that is set as a target destination remains until the entire collection of fragments arrives. Once each of them is available, the system arranges the information in the proper order and delivers it. 

As we mentioned, operating systems (OS) that are a bit aged include a bug. That causes confusion through the phase of reassembly, which makes it possible to use that vulnerability.

Here is how the Teardrop attack is performed, step by step:

• First, the extensive amount of information is divided into small fragments before sending it across the Internet.
• Every piece gets a precise number which defines in which order the fragments should be arranged and assembled to receive the original information.
• The destination server uses the included information in the fragments to organize them in the right sequence.
• In this step, the Teardrop attack interferes and disrupts the fragments’ offset field. That makes it difficult for the device to reassemble the pieces.
• Then a lot of fraudulent packets are delivered on the device or server of the victim. So, finally, that causes the crash of the device.

The good news is that most of the current networks and devices are able to efficiently notice damaged fragmented packets because of their development. If a discrepant packet is recognized, it is possible to restrict it and prevent a Teardrop attack.

What are the effects of the Teardrop DoS attack?

Based on the fact that the Teardrop DoS attack is initiated and targets the TCP/IP reassembly mechanisms and disturbs them from setting together fragmented packets of data. That leads to the overlapping of data packets and overwhelming servers of the victim, which causes them to go down.

Whenever the Teardrop DoS attack is completed, the system, server, or network gets confused. Additionally, it pauses for some time and then crashes. As an effect of it, when the server is down, it is not capable of providing the needed resources, and for instance, your employees won’t be able to do their work at all.

Who are the likely victims of this attack type?

There are some organizations that are more likely to be a target of a Teardrop attack. Typically they are a bit more traditional and are hardly willing to implement the new technologies. It is also common for them to have the understanding that new technologies could affect their operations. Therefore they use a bit older technologies and software. Here are some of the common targets and likely victims of the Teardrop attack:

• Healthcare

More than half of healthcare providers are using some of the old versions of operating systems (OS). In the most popular scenarios, it is exactly Windows 7. That is the reason why they are especially vulnerable to these attacks. Mainly because Microsoft announced that it is not going to continue to support that version of their product.

• Government

Other institutions that are using pretty old systems and technology are precisely the ones related to government. There are cases in which the Office of Personnel Management (OPM) was attacked, and all of the information was not encrypted. Why? Because the system was way too old. Systems like that are very likely to become victims of the Teardrop attack.

• Banking, Financial Services, and Insurance (BFSI)

In the past years, we have seen a massive improvement and change in the different financial services, and probably all of them implemented the usage of mobile apps. However, if we take a look at what they are implementing to their backend systems, we are going to notice that in most cases, their technologies are not actually brand new. They prefer to operate with legacy systems, but that makes them very vulnerable to Teardrop attacks.

How to protect ourselves?

• Update the version of your OS.

With just this simple task, you are making sure that your device is hard to become a target to such a DoS attack. It is essential not to use an aged OS that is not supported anymore, and there aren’t any security patches. In case you are using such an operating system, you won’t receive updates anymore. That makes you prone to experience not only a Teardrop attack but also some DDoS attack types. (If you are searching for a reliable DNS protection, check our DDoS Protected DNS Service)

• Monitor your systems

You can add an extra layer of security to your system through a Monitoring service. It includes different types of checks. Especially TCP monitoring and Heartbeat мonitoring in a Teardrop attack situation will help a lot. It is a technique for keeping a close eye on a system’s health by regularly sending heartbeat events to a remote monitoring service. For example, if the data included in the heartbeat event does not match the user-defined assertions, it will be notified that something is wrong. So, this would be a clear signal for a defense action.

• Firewall

These attacks target the network layer, so your system should certainly be protected. You can implement a reliable firewall system that filters unwanted data. There are a lot of different types of firewalls. For sure, one of them is going to fit your network’s requirements. It is crucial to enable an efficient filter that is going to help you detect and stop infected data. It serves as an excellent protection method.

How to detect it?

Detecting the presence of a Teardrop Attack can be challenging, considering its ability to camouflage within the network’s regular traffic. However, there are several signs and symptoms that administrators and security personnel can observe:

• System Instability: One of the primary indicators of a Teardrop Attack is the sudden instability or unresponsiveness of systems and network devices. Sluggish response times, increased latency, and interrupted connectivity can indicate that your system is under attack. Users might experience frequent crashes, freezes, or abnormal behavior in applications and services.
• Unusual Network Activity: Strange network behavior, such as an unexpected surge in network traffic or a sudden increase in packet fragmentation, could be a red flag indicating a potential Teardrop Attack. Monitoring network traffic for irregular patterns becomes crucial in detecting such anomalies.
• System Logs and Error Messages: Regularly reviewing system logs and error messages can reveal clues about attempted attacks or system anomalies caused by a Teardrop Attack. Unusual error messages related to packet handling or IP reassembly could hint at malicious activities.

Why are Teardrop attacks so important?

A great number of people are still using systems that are considered very old. Additionally, the companies that provided these tools are not supporting them anymore. For instance, there are still organizations that hold a device that operates with Windows XP. Yet, the support ended back in 2014. There are various cyber threats, and the Teardrop attack is one of them that proves how important it is to update your systems.

In case you are using software that is modern and you update it on time, it is going to be a lot harder for an attacker to initiate a Teardrop attack towards you or your business. The reason for that is simple. The vulnerability that is required for performing the attack just doesn’t exist, and attackers can’t take advantage of it. Therefore it is essential to know the way IP fragmentation attacks such as Teardrop are made.

Conclusion

So, now you understand actually how dangerous a Teardrop attack is. It could affect your device, network or computer. For that reason, it is extremely important to keep yourself and your network safe and take the required actions to prevent it.

The post What is a Teardrop attack, and how to protect ourselves? appeared first on ClouDNS Blog.

Historical evolution of the Ping of Death attack

The Ping of Death (PoD) attack has a rich history. In the early days of the internet, networks and devices were less sophisticated and more susceptible to various forms of cyber attacks, including the Ping of Death. The original PoD attack involved sending malformed or oversized packets using the ICMP protocol, which could crash systems or cause network interruptions. This vulnerability was particularly prevalent in older operating systems that didn’t properly handle these packets.

Over time, as operating systems and network hardware became more advanced, they were patched to resist these types of attacks. This led to the evolution of PoD tactics, with attackers finding new methods to exploit different vulnerabilities within network protocols and systems.

What is Ping of Death (PoD)?

Ping of Death (PoD) is a popular type of DoS (Denial of Service) attack. The cybercriminal that initiates it aims to destabilize or completely crash the device, server, or service of the victim. In order to achieve that, the attacker sends malformed or oversized packets with the help of the Ping command. Unfortunately, the moment when the victim’s system processes the data packet, the system faces an error that forces it to crash.

The concept of the Ping of Death (PoD) attack is commonly compared to a mail bomb: If the recipient opens the package, a mechanism is triggered, and the target is attacked or completely destroyed. 

On the other hand, the Ping command, from which the attack gets its name, is a popular tool for testing the reachability of a network. The command is designated based on the Internet Control Message Protocol (ICMP), which serves for providing status information on the Internet.

Ping of Death attacks could occur on patched and unpatched systems that have legacy weaknesses on the target systems. The cybercriminal does not even need any additional details about the target’s device or its operating system (OS). The only required information is the IP address and nothing else.

So, now that you are familiar with what a Ping of Death attack is, it is time to dive a little bit deeper and explain how it actually works.

How does it work?

To enable a Ping of Death attack, criminals use the ping command to send oversized data packets to their target to destabilize or crash it. 

An Internet Control Message Protocol (ICMP) echo-reply message, also known as “ping”, is a network utility that serves for testing a network connection. It sends out pings and waits for an ICMP echo reply, which contains information about the condition and environment of a precise network. That means the connection is successful.

In order to launch a Ping of Death attack, attackers create an ICMP packet that’s larger than allowed. The packet is separated into smaller pieces for transportation. When the receiver puts them back together, the maximum allowed size is exceeded. That leads to an overflow in the memory buffer, forcing the system to crash.

To bring it all together, the maximum packet size for IPv4 is 65,535 bytes, including a total payload of 84 bytes. Thus in order to launch a PoD attack, cybercriminals send bigger than 110k ping packets to the victim’s device.  

Attackers can also perform this DoS attack over the User Datagram Protocol (UDP), Internet Packet Exchange (IPX), and Transmission Control Protocol (TCP). Anything that sends an Internet Protocol datagram can be put into action.

Here’s what a Ping of Death looks like on Windows and Linux :

Ping of Death Windows:

ping <ip address> -1 65500 -w 1 -n 1

Ping of Death Linux:

ping <ip address> -s 65500 -t 1 -n 1

Does the Ping of Death still work?

The Ping of Death (PoD) is actually quite an old attack that first occurred back in the mid-1990s. Since then, the majority of devices and computers have been protected against these types of attacks. Additionally, a lot of websites keep blocking ICMP ping messages in order to stop and avoid future variations of this DoS attack.

Yet, an organization’s defenses can weaken due to malicious content on any computer, server, or network and still be vulnerable to the threat. It is threatened by this attack if the following are unpatched:

• Vulnerable Legacy Equipment
• Kernel driver in TCPIP.sys
• Windows XP and Windows Server 2013 copies on systems already vulnerable to a weakness in OpenType fonts

Recent Ping of Death attacks

Let’s explain a little bit more about some of the recent appearances of the Ping of Death attack.

• PoD attacks officially made their return in August 2013 by threatening the Internet Protocol version 6 (IPv6) networks. Then the attacker took advantage of a weakness in the soon-to-be discontinued Windows XP and Windows Server 2013 operating systems, more precisely in OpenType fonts. A flaw in the IPv6 implementation of ICMP allowed the attacker to send massive ping requests that smashed the victim when it reassembled the packets. This precise threat could have been avoided simply by disabling IPv6.
• Back in October 2020 was found a flaw in the Windows component TCPIP.sys, which represents a Kernel driver that would get to the core of any Windows system if used for an attacker’s advantage. The result would be a hard crash and total shutdown of the device, followed by a reboot. Yet, it was a bit complicated for cyber criminals to actually use this vulnerability. So, users started patching their devices in order to prevent the threat. 

The Ping of Death seems to be a simple and small-in-scale attack, and that makes it an efficient weapon against particular machines. Yet, we should not underestimate it! If a group of devices comes together, there is a great chance a handful of these to bring down a website that does not have the suitable infrastructure to deal with this threat. These examples from the past indeed show that Ping of Death could still appear. Therefore, it is highly recommended for organizations to take the needed measures to protect themselves.

Preventing measures against PoD attack

There are several ways you could prevent, stop and protect yourself from a Ping of Death (PoD) attack. Most of them are easy and simple to implement. Let’s see which are they and how they can help you avoid Ping of Death. 

• Configure your firewall to block ICMP Ping Messages. This will protect your network from the PoD threat, yet it will also stop legitimate pings. Additionally, invalid packet attacks can be launched through other listening ports, such as FTP (File Transfer Protocol). So, it is not an ideal solution.
• Monitoring with ICMP Ping. If you don’t like the idea of completely blocking ICMP Ping messages, Ping monitoring which is a part of the ClouDNS Monitoring service, would be your preferred solution. It spots network problems quickly and helps you improve your overall security. 

Suggested article: What ICMP Ping traffic monitoring is?

• Implement DDoS Protection. A DDoS protection service provides you with a brilliant technique for network security and protecting against DDoS attacks and Ping of Death attacks.
• Update your software regularly. When a flaw appears, commonly shortly after, the patches are released too. It is important to accept them and keep your device safe.
• Implement a buffer. Improve your capability to accept large packets with an overflow buffer. 
• Filter your traffic. You can stop just fragmented pings from reaching any device in the network. That will allow you to use the ping command’s utility without being at risk of an attack.
• Enable a checker in the assembly process. If it detects large bits of data, it will stop the abnormal packets and prevent crashing.

How to block Ping requests using iptables?

To block ping requests coming to and from your server using iptables, follow these instructions:

First, to reject incoming ping requests, execute the following command:

$ sudo iptables -A INPUT -p icmp –icmp-type echo-request -j REJECT

This will lead to an error message being displayed for each blocked ping. If you prefer to silently drop these requests without generating error messages, use the following commands instead:

$ sudo iptables -A INPUT -p icmp –icmp-type echo-request -j DROP

$ sudo iptables -A OUTPUT -p icmp –icmp-type echo-reply -j DROP

The first command silently blocks incoming ping requests, while the second one prevents sending out ping replies from your server.

Implementing network protocols against PoD attack

In the previous section, we examined the most popular ways to safeguard against Ping of Death attacks. Now, let’s delve into how network protocol-level measures can further fortify your defenses:

• Deep Packet Inspection (DPI): This technique goes beyond basic header analysis to examine the actual data content of packets. DPI can identify, categorize, and block packets that exhibit patterns typical of PoD attacks, such as unusual fragmentation or payload anomalies.
• Intrusion Detection Systems (IDS): IDS can be configured to recognize signatures or patterns of PoD attacks. By monitoring network traffic in real-time, IDS can alert administrators and automatically take action against suspicious packets.
• Protocol Anomaly Detection: This method involves analyzing the behavior of protocols like ICMP, TCP, and UDP against established norms. Any deviation from these norms, such as fragmented ICMP packets that could signal a PoD attack, can be flagged for further inspection or blocked.

Suggested article: Full Guide on TCP Monitoring vs. UDP Monitoring

• Stateful Packet Inspection (SPI): Unlike stateless firewalls that only examine packet headers, SPI firewalls track the state of active connections and make decisions based on the context of the traffic. This approach can effectively block malformed packets characteristic of PoD attacks.

Conclusion

You may think that Ping of Death is outdated and it does not have a chance in modern networks. The truth is that this threat should not be neglected. It may find its way and crash your system. Therefore, it is best to take all of the precious measures in order to prevent and stop such malicious attacks.

The post Ping of Death (PoD) – What is it, and how does it work?  appeared first on ClouDNS Blog.