Problem solve Get help with specific problems with your technologies, process and projects.

Drying out teardrops

A denial of service (DoS) attack is one of the most popular and rapidly growing threats to businesses on the Internet. By subverting the aging TCP/IP version 4 protocol, so-called "script kiddies" (unskilled hacker wanna-bes) are able to prevent normal users from accessing their digital resources -- web sites, email, or even some types of Virtual Private Networks (VPNs). The most common approach for a DoS attack is to flood a network with so many standard PINGs (or "are you there") messages that there's no room in the network pipe for any of the customers. Ironically, many DoS attacks are made possible by businesses themselves. "Teardrop" attacks (one form of DoS attack) take advantage of misconfigured routers on high-bandwidth corporate networks to vastly multiply the number of PINGs being sent to the victim site; this is how a hacker on a dialup modem can take down a web site on a T1.

Against sites with incredibly fat network pipes, of course, that won't work. The recent Distributed Denial of Service (DDoS) attacks against Yahoo! and other major networks in the spring of 2000 were mounted by programs like the Tribal Flood Network (TFN), an easy-to-use tool that takes over corporate and home computers and uses them to each launch teardrop attacks against a victim site.

You can close up holes that make the teardrop possible. The teardrop takes advantage of a router's multicast address, a special IP address on the router's subnet that, in many default configurations, will forward packets to every machine on the subnet. By forging PING requests from the victim's site and sending them to a multicast address, a malicious hacker will cause the victim to be flooded with PING responses from each machine on the subnet. Therefore, corporate routers should never honor requests sent from the Internet (or anywhere else, really) to the multicast address. Using your router's configuration program, you can turn off forwarding from your multicast address.

This won't completely solve the problem, but it will help. For more discussion of the teardrop and how to fix it, see, which includes a list of the networks that are the top offenders.

Barrie Sosinsky ( is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.
This was last published in October 2000

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.