What does it mean that my router is getting a Teardrop DoS attack?

[Clark Higgins]

Screenshot is here: https://i.imgur.com/viRZYSU.jpg

I just noticed that my router reports a constant barrage of hits from:

[DoS attack: Teardrop] attack packets in last 20 sec from ip [153.224.226.205], Friday, Apr 01,2016 19:58:28

Any idea what's going on?

[Sjouke Burry]

Your provider knows.

[William Unruh]

Sure someone is trying to break and and own your router.

[J.O. Aho]

From wikipedia: https://en.wikipedia.org/wiki/Denial-of-service_attack

Teardrop attacks
A teardrop attack involves sending mangled IP fragments with
overlapping, over-sized payloads to the target machine. This can crash
various operating systems because of a bug in their TCP/IP fragmentation
re-assembly code. Windows 3.1x, Windows 95 and Windows NT operating
systems, as well as versions of Linux prior to versions 2.0.32 and
2.1.63 are vulnerable to this attack.

(Although in September 2009, a vulnerability in Windows Vista was
referred to as a "teardrop attack", this targeted SMB2 which is a higher
layer than the TCP packets that teardrop used).


The attacker is trying to find old machines/routers which are vulnerable
to the attack, or it's just a script-kiddy found an old script and now
wants to be a hacker.

--

//Aho

[Carlos E.R.]

You (Clark) could try to block that IP, as it seems to be coming from
one only.

--
Cheers, Carlos.

--- news://freenews.netfront.net/ - complaints: ne...@netfront.net ---

[Johann Klammer]

On 04/02/2016 05:04 AM, Clark Higgins wrote:

do you know anyone in japan?

```
$ whois 153.224.226.205
[ JPNIC database provides information regarding IP address and ASN. Its use ]
[ is restricted to network administration purposes. For further information, ]
[ use 'whois -h whois.nic.ad.jp help'. To only display English output, ]
[ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ]

Network Information:
a. [Network Number] 153.224.128.0/17
b. [Network Name] OCN
g. [Organization] Open Computer Network
m. [Administrative Contact] JP00009614
n. [Technical Contact] JP00009427
p. [Nameserver] ns-kg001.ocn.ad.jp
p. [Nameserver] ns-kn001.ocn.ad.jp
[Assigned Date] 2014/09/04
[Return Date]
[Last Update] 2014/09/04 15:11:04(JST)

Less Specific Info.
----------
NTT COMMUNICATIONS CORPORATION
[Allocation] 153.128.0.0-153.253.255.255

More Specific Info.
----------
No match!!
```

[Adrian Caspersz]

The fact that your router is reporting it means that your routers
firewall is working. So no real panic.

However, if it still is going on, probably easiest to acquire a
different IP address from your ISP connection. This may be as simple as
restarting your router, but obviously if you have a static / sticky
address then this won't apply.

--
Adrian C