What does it mean that my router is getting a Teardrop DoS attack?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Screenshot is here: https://i.imgur.com/viRZYSU.jpg

I just noticed that my router reports a constant barrage of hits from:

[DoS attack: Teardrop] attack packets in last 20 sec from ip [153.224.226.205], Friday, Apr 01,2016 19:58:28

Any idea what's going on?

Re: What does it mean that my router is getting a Teardrop DoS attack?
On 02.04.16 5:04, Clark Higgins wrote:
Quoted text here. Click to load it
Your provider knows.

Re: What does it mean that my router is getting a Teardrop DoS attack?
Quoted text here. Click to load it

Sure someone is trying to break and and own your router.



Re: What does it mean that my router is getting a Teardrop DoS attack?
On 04/02/2016 05:04 AM, Clark Higgins wrote:
Quoted text here. Click to load it


From wikipedia: https://en.wikipedia.org/wiki/Denial-of-service_attack

Teardrop attacks
A teardrop attack involves sending mangled IP fragments with
overlapping, over-sized payloads to the target machine. This can crash
various operating systems because of a bug in their TCP/IP fragmentation
re-assembly code. Windows 3.1x, Windows 95 and Windows NT operating
systems, as well as versions of Linux prior to versions 2.0.32 and
2.1.63 are vulnerable to this attack.

(Although in September 2009, a vulnerability in Windows Vista was
referred to as a "teardrop attack", this targeted SMB2 which is a higher
layer than the TCP packets that teardrop used).


The attacker is trying to find old machines/routers which are vulnerable
to the attack, or it's just a script-kiddy found an old script and now
wants to be a hacker.

--  

 //Aho

Re: What does it mean that my router is getting a Teardrop DoS attack?
On 2016-04-02 10:45, J.O. Aho wrote:
Quoted text here. Click to load it



You (Clark) could try to block that IP, as it seems to be coming from
one only.

--  
Cheers, Carlos.


Re: What does it mean that my router is getting a Teardrop DoS attack?
On 04/02/2016 05:04 AM, Clark Higgins wrote:
Quoted text here. Click to load it
do you know anyone in japan?

```
$ whois 153.224.226.205
[ JPNIC database provides information regarding IP address and ASN. Its use   ]
[ is restricted to network administration purposes. For further information,  ]
[ use 'whois -h whois.nic.ad.jp help'. To only display English output,        ]
[ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'.      ]

Network Information:            
a. [Network Number]             153.224.128.0/17
b. [Network Name]               OCN
g. [Organization]               Open Computer Network
m. [Administrative Contact]     JP00009614
n. [Technical Contact]          JP00009427
p. [Nameserver]                 ns-kg001.ocn.ad.jp
p. [Nameserver]                 ns-kn001.ocn.ad.jp
[Assigned Date]                 2014/09/04
[Return Date]                    
[Last Update]                   2014/09/04 15:11:04(JST)
                                
Less Specific Info.
----------
NTT COMMUNICATIONS CORPORATION
                     [Allocation]                  153.128.0.0-153.253.255.255

More Specific Info.
----------
No match!!
```


Re: What does it mean that my router is getting a Teardrop DoS attack?
On 02/04/16 04:04, Clark Higgins wrote:
Quoted text here. Click to load it

The fact that your router is reporting it means that your routers  
firewall is working. So no real panic.

However, if it still is going on, probably easiest to acquire a  
different IP address from your ISP connection. This may be as simple as  
restarting your router, but obviously if you have a static / sticky  
address then this won't apply.

--  
Adrian C

Site Timeline