Tuesday, October 16, 2012

Denial of Service: Teardrop Attack



The Teardrop attack exploits the vulnerability present in the reassembling of data packets. Whenever data is being sent over the Internet, it is broken down into smaller fragments at the source system and put together at the destination system. Say you need to send 4000 bytes of data from one system to the other, then not all of the 4000 bytes is sent at one go. This entire chunk of data is first broken down into smaller parts and divided into a number of packets, with each packet carrying a specified range of data. For Example, say 4000 bytes is divided into 3 packets, then:

The first Packet will carry data from 1 byte to 1500 bytes

The second Packet will carry data from 1501 bytes to 3000 bytes

The third packet will carry data from 3001 bytes to 4000 bytes

These packets have an OFFSET field in their TCP header part. This Offset field specifies from which byte to which byte does that particular data packet carries data or the range of data that it is carrying. This along with the sequence numbers helps the destination system to reassemble the data packets in the correct order. Now in this attack, a series of data packets are sent to the target system with overlapping Offset field values. As a result, the target system is not able to reassemble the packets and is forced to crash, hang or reboot.

Say for example, consider the following scenario:

Normally a system receives data packets in the following form, with no overlapping Offset values.
_ _ _ _ _ _ _ _ _                              _ _ _ _ _ _ _ _ _  _                 _ _ _ _ _ _ _ _
(1 to 1500 bytes)                              (1501 to 3000 bytes)           (3001 to 4500 bytes)

Now in a Teardrop attack, the data packets are sent to the target computer in the following format:
_ _ _ _ _ _ _ _ _                               _ _ _ _ _ _ _ _ __                   _ _ _ _ _ _ _ _
(1 to 1500 bytes)                              (1500 to 3000 bytes)          (1001 to 3600 bytes)

When the target system receives something like the above, it simply cannot handle it and will crash or hang or reboot.

No comments:

Post a Comment