“Teardrop”, “NewTear”, “Bonk”, “Boink”, “Ping of Death”
Goal is to severely impair or disable a host or its IP stack
Use packet fragmentation and reassembly vulnerabilities
Require that a host IP stack be able to receive a packet from an attacker
- The “Teardrop” attack affects mostly Linux and Win95/NT hosts (among others). It sends a 2-fragment IP packet, with one fragment too small. This causes IP stacks to overwrite a large amount of memory and crash.
- The “Bonk” and “Boink” attacks reverse the “Teardrop” attack in that they set a fragment offset larger than the packet size. These exploits affect Windows machines. “Bonk” attacks only port 53 on these machines, which isn’t always open. “Boink” was released in order to send the attack packets to a range of ports, in order to make the attack more usable.
- The “NewTear” attack affects Windows machines as well. It is simply a modified version of “Teardrop” which changes padding length and increases the UDP header length field to twice the size of the packet.
- The “Ping of Death” attack affects many IP stacks, sending a fragmented packet which, when reassembled, is larger than 65536 bytes. This causes an IP stack not protecting against the attack to overwrite the buffer used to reassemble the packet.
- Attacked Windows machines normally experience the “blue screen” with error messages in kernel or network drivers. Affected UNIX systems generally experience a kernel panic or no response to IP traffic.
- The “Teardrop” attack, as well as vendor information regarding vulnerability, is discussed in CERT advisory number CA-97.28, available at http://www.cert.org/pub/advisories/CA-97.28.Teardrop_Land.html
- The “Ping of Death” attack, as well as vendor information regarding vulnerability, is discussed in CERT advisory number CA-96.26, available at http://www.cert.org/pub/advisories/CA-96.26.ping.html