Under some versions of Internet Security Systems RealSecure Network Intrusion Detection software it is possible for attackers to launch a series of IP Fragment based denial of service (DoS) attacks without the software detecting them as it should. This is due to the software relying on packet signatures which if slightly changed will not be flagged as attacks. The attack in question is the Teardrop DoS and modifications thereof. In particular the SynDrop, NewTear and Targa attacks. The Teardrop denial of service attack exploits a flaw inherent to multiple vendor TCP/IP stacks. This problem is related to how the TCP/IP stack handle reassembly of fragmented IP packets. This attack can be delivered by sending 2 or more specially fragmented IP datagrams. The first is the 0 offset fragment with a payload of size N, with the MF bit on (data content is irrelevant). The second is the last fragment (MF == 0) with a positive offset < N and with a payload of < N. This results in the TCP/IP...
Under some versions of Internet Security Systems RealSecure Network Intrusion Detection software it is possible for attackers to launch a series of IP Fragment based denial of service (DoS) attacks without the software detecting them as it should. This is due to the software relying on packet signatures which if slightly changed will not be flagged as attacks. The attack in question is the Teardrop DoS and modifications thereof. In particular the SynDrop, NewTear and Targa attacks. The Teardrop denial of service attack exploits a flaw inherent to multiple vendor TCP/IP stacks. This problem is related to how the TCP/IP stack handle reassembly of fragmented IP packets. This attack can be delivered by sending 2 or more specially fragmented IP datagrams. The first is the 0 offset fragment with a payload of size N, with the MF bit on (data content is irrelevant). The second is the last fragment (MF == 0) with a positive offset < N and with a payload of < N. This results in the TCP/IP stack allocating unusually large resources to reassembling the packet(s). Depending on the memory deployed on the target box this usually results in the system freezing due to insufficient memory or in some case causing the machine to reboot.
