Teardrop attack – Allied Telesis AT-S63 User Manual

Chapter 17: Denial of Service Defenses

208

Section II: Advanced Operations

Teardrop Attack

An attacker sends an IP packet in several fragments with a bogus offset
value, used to reconstruct the packet, in one of the fragments to a victim.
Because of the bogus offset value, the victim is unable to reassemble the
packet, possibly causing it to freeze operations.

The defense mechanism for this type of attack has all ingress fragmented
IP traffic received on a port sent to the switch’s CPU. The CPU samples
related, consecutive fragments, checking for fragments with invalid offset
values.

If one is found, the following occurs:



The switch sends an SNMP trap to the management stations.



The switch port is blocked for one minute.

Because the CPU only samples the ingress IP traffic, this defense
mechanism may not catch all occurrences of this form of attack.

Caution

This defense is extremely CPU intensive; use with caution.
Unrestricted use can cause a switch to halt operations if the CPU
becomes overwhelmed with IP traffic. To prevent this, Allied Telesis
recommends activating this defense on only the uplink port and one
other switch port at a time.