Teardrop

The teardrop attack works with overlapping fragments. In this case, an initial fragment is followed by a further fragment that apparently belongs entirely inside the first packet, i.e. the end of the second fragment is before the end of the first. Now, if the programmer of the IP stack took the easy option of calculating the number of bytes for re-assembly simply by using “new end” - “old end”, the result is either a negative value or a very large positive value. This causes parts of the victim machine's memory to be overwritten during copy operations, which leads to the computer crashing.

Here, too, the firewall has two options: Either it performs re-assembly itself and, if necessary, drops the entire packet, or it keeps track of the minimum offset and maximum end of the packet, and discards any fragments with an offset or end that falls within that range. The first case requires the correct implementation in the firewall so that it does not itself become a victim; in the second case, partially re-assembled packets are again collected by the victim.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo