Help me understand a teardrop attack?

I am doing a cyber security project for college on a wireshark pcap file which has an example of a teardrop attack. Can someone help me understand what Im looking at so I can understand exactly what is happening in this attack

here is the link to the pcap file to look at if you want to see:

There is a line in frame 8 that says reassembled in frame 9.

In frame 9 heres the info that is pertinent:

Frame Number: 9

Frame Length: 38 bytes (304 bits)

Capture Length: 38 bytes (304 bits)

Total Length: 24

Fragment offset: 24

Protocol: UDP (17)

[2 IPv4 Fragments (28 bytes): #8(36), #9(4)]

Length: 36 (bogus, payload length 28)

[Expert Info (Error/Malformed): Bad length value 36 > IP payload length]

[Checksum: [missing]]

[Checksum Status: Not present]

[Stream index: 1]


Data (20 bytes)

2 Answers

  • BigE
    Lv 7
    1 month ago

    So packet 9 says the UDP data llength is 36 but the UDP data is only 28 bytes, so it points past the valid data.

    So the teardrop is a DOS attack, but only to older OSs like Windows 95 and NT.  Most OSs will just notice the mismatch and drop the packet as corrupt.

    • Login to reply the answers
  • wowser
    Lv 5
    1 month ago

    You are looking at a series of packet fragments that the target machine tries for reassemble and it can't because the size and offsets are incorrect and overlap.  look at those portions of the packets

    • Login to reply the answers
Still have questions? Get your answers by asking now.