Wireshark packet analysis - Teardrop teardrop attack

Enterprise 2023-05-05 08:24:30 views: null

This article is only used for data packet learning!

1. Principle of teardrop attack

Teardrop attack is a denial of service attack, which is an attack method against the IP protocol. As the name implies, Teardrop attack is a teardrop attack method, which shows that its destructive power is very powerful. It uses the method of sending malformed data packets (in addition to the method of forging IP addresses for IP protocol attacks), the realization principle is to send abnormal data packet fragments to the target host, so that the IP data packet fragments are The overlapped parts make it impossible for the target system to reorganize it, further causing the system to crash and stop the vicious attack of service.
insert image description here
Working principle of Teardrop attack (picture from the network)

**Attack hazards: **When some operating systems receive such data packets, the system will crash, restart, etc. For Windows systems, it will cause a blue screen of death and display a STOP 0x0000000A error.
**Defense method:**Upgrade the system version, use a network security device that can cache fragmented packets, analyze the data packets, and calculate whether the fragment offset (Offset) of the data packets is wrong.
**Range of influence:** For early Microsoft operating systems (95, 98, 3.x, nt) in recent years, some people have found that the attack on the 2.x version of the Android system and the 6.0 IOS system is effective

2. Data packet analysis

The packet comes from: https://wiki.wireshark.org/SampleCaptures, named teardrop.pcap

  1. Check the 8th packet, you can see that MF in Flags is 1, which means it is not the last fragment. Fragment Offset indicates the offset relative to the original position. At this time, it is 0, indicating that the packet is the first packet of the fragment; looking further down, the
    Data data size is 36, which is equal to the maximum length of the Ethernet MTU of 70bit minus the Ethernet Header 14bit, then subtract ip header 20bit.
    insert image description here

  2. Check the 9th data packet, the offset at this time is changed to be smaller, so that the data of the 9th data packet and the 8th data packet overlap, and the two fragmented packets partially overlap, so they cannot be reassembled.
    insert image description here

If the target system cannot be reorganized, it will further cause the system to crash and stop the service.

Guess you like

Origin blog.csdn.net/Zhou_ZiZi/article/details/126474551
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com