Denial of Service Attacks (5)

• Teardrop Attack (summer 1997 )

  • use a bug in the implementation of IP packet fragmentation
    • send 2 specially fragmented IP datagrams
    • the first: 0 offset fragment with the payload of size N; MF bit on
    • the second: positive offset <N and a payload less than N;MF=0
    • the offset is shorter then previous fragment; reassembly procedure creates negative number, which is treated by system as s very large positive number
  • Linux, Win95, WinNT will crash because the copy operation overwrites the memory
  • variants : bonk (affects port 53), newtear (UDP-based)

• Teardrop Attack defense

  • vendor patches

Previous slide

Next slide

Back to first slide

View graphic version