| 1 |
Teardrop Attack (summer 1997 )
-
use a bug in the implementation of IP packet fragmentation
-
send 2 specially fragmented IP datagrams (overlapping fragments)
-
the first: 0 offset fragment with the payload of size N; MF bit on
-
the second: positive offset <N and a payload less than N;MF=0
-
the offset is shorter then previous fragment; reassembly procedure creates negative number, which is treated by system as s very large positive number
-
Linux, Win95, WinNT will crash because the copy operation overwrites the memory
-
variants : bonk (affects port 53), newtear (UDP-based)
|
