Help me understand a teardrop attack?

I am doing a cyber security project for college on a wireshark pcap file which has an example of a teardrop attack. Can someone help me understand what Im looking at so I can understand exactly what is happening in this attack

here is the link to the pcap file to look at if you want to see:

There is a line in frame 8 that says reassembled in frame 9.

In frame 9 heres the info that is pertinent:

Frame Number: 9

Frame Length: 38 bytes (304 bits)

Capture Length: 38 bytes (304 bits)

Total Length: 24

Fragment offset: 24

Protocol: UDP (17)

[2 IPv4 Fragments (28 bytes): #8(36), #9(4)]

Length: 36 (bogus, payload length 28)

[Expert Info (Error/Malformed): Bad length value 36 > IP payload length]

[Checksum: [missing]]

[Checksum Status: Not present]

[Stream index: 1]


Data (20 bytes)

2 Answers

  • BigE
    Lv 7
    8 months ago

    So packet 9 says the UDP data llength is 36 but the UDP data is only 28 bytes, so it points past the valid data.

    So the teardrop is a DOS attack, but only to older OSs like Windows 95 and NT.  Most OSs will just notice the mismatch and drop the packet as corrupt.

  • wowser
    Lv 5
    8 months ago

    You are looking at a series of packet fragments that the target machine tries for reassemble and it can't because the size and offsets are incorrect and overlap.  look at those portions of the packets

Still have questions? Get answers by asking now.