Teardrop attack vs. the Fraggle attack

I have been comparing types of attack before I take the test at 2:00 today. One area I am a little confused on is the difference between the Teardrop and the Fraggle attack. Are they really pretty much the same thing?

Find more posts tagged with

Comments

veritas_libertas

This seems to have cleared up my confusion:

DoS Attack (DDOS,Ping Flood,Smurf,Fraggle,SYN Flood,Teardrop)

dorawe

Your link mentioned something called a 'sink hole', have you run across this in any of your training?

veritas_libertas

dorawe wrote: »

Your link mentioned something called a 'sink hole', have you run across this in any of your training?

The term sink hole? Not really. In my studies it was described as something else that I can't remember at this moment.

Met44

From context, a sink hole would also be known as a black hole route or a route to a null interface. I haven't heard the term "sink hole" used to describe this, but that's what they are getting at. The idea is that if there is a router (such as a router in the ISP's cloud) in front of a node being DDoSed, that router can re-route the problem traffic into a null interface, effectively preventing it from getting further into the network and causing further disruption.

As mentioned in your link, using a null route could also prevent legitimate traffic from getting where it is going, which wouldn't be good. A better approach would be to filter out just the particular streams of traffic that are problematic. For this situation, the only reason you would use a black hole route here is if the router was old and did not support firewall operations, and there was not a firewall around to do the job.

Bl8ckr0uter

Met44 wrote: »

From context, a sink hole would also be known as a black hole route or a route to a null interface. I haven't heard the term "sink hole" used to describe this, but that's what they are getting at. The idea is that if there is a router (such as a router in the ISP's cloud) in front of a node being DDoSed, that router can re-route the problem traffic into a null interface, effectively preventing it from getting further into the network and causing further disruption.

As mentioned in your link, using a null route could also prevent legitimate traffic from getting where it is going, which wouldn't be good. A better approach would be to filter out just the particular streams of traffic that are problematic. For this situation, the only reason you would use a black hole route here is if the router was old and did not support firewall operations, and there was not a firewall around to do the job.

We just had this exact issue last night. We had to put in an ACL on our transports due to a DOS attack against one of our clients that was generating 300k packets a second from that customer.

It actually got so bad the BGP stopped working on our clients router for a few minutes.

Paul Boz

They are completely different and unrelated attack methods.

Fraggle attacks are fundamentally the same as Smurf attacks (smurfing) in which you send a large amount of ICMP echo request (ping) traffic to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. This attack is a resource exhaustion type of attack.

On the other hand, a Teardrop attack is a packet manipulation attack in which you overlap fragment offsets which, depending on the device, may crash the host. When the target machine attempts to re-assemble the fragmented packet (which is actually a series of crafted fragments) it can't process the packet due to the overlap and crashes. I advise that you read up a little on fragmentation to understand this further.

dynamik

You should also upgrade from Windows 95.