HighCheck or Attack Name: Teardrop
The attacker sends a series of fragmented IP datagram pairs to the target (how many depends on the operating system—Windows NT can take up to 50, while Linux crashes with one pair). The first fragment is sent with an offset of 0 (telling the IP that it is the first fragment in the list) and a payload of size N. Subsequent fragments are sent with an offset telling IP that it should overlap inside the previous fragment, but the fragment's payload is either non-existent, or quite small (1 or 2 bytes). Affected machines crash or reboot.
Apply necessary patches.
CERT Advisory CA-97.28, IP Denial-of-Service Attacks, http://www.cert.org/ftp/cert_advisories/CA-97.28.Teardrop_Land
SCO Security Bulletin 98:01, IP-based Denial of Service Attacks, ftp://ftp.sco.com/SSE/security_bulletins/SB.98:01a
CERT Advisory CA-98.13, Tcp Denial of Service, http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html
