Re: Smurf ,land attacks

[Donnie Tognazzini <don_tog () yahoo com>]

If you want full control of network read/writes use
libnet/libpcap.. have a look at tcpdump.org.. 

Using libnet/libpcap you can write directly to the
wire.

--- Paulo Abrantes <ghostrider () box sk> wrote:
> Hello Vik,
>
> What the attacker does is not allowing the Kernel to
> fill in the IP datagram 
> from the packet he's spoofing, and filling it by
> himself/herself. 
> How can (s)he do that? 
> Well, the best way I know, and probably is the way
> that land.c (that you mention) 
> uses (I do do not know the source of that program)
> is creating a RAW socket. 
> Then using a function called setsocketop() enabling
> the option IP_HDRINCL which 
> allows you to include your own IP Header. This way
> it's you that create the all
> the IPheader including  IP Source Address.
>
> For further information give a look at raw(7) man
> page.
>
> Regards, 
>
> P. Abrantes 
>
> On Sat, 9 Nov 2002 13:10:11 -0700
> "Vik Evans" <vevans () packeteye phxcoxmail com> wrote:
>
> > My question is this: how does an attacker
> accomplish modifying a packet and
> > sending it; such as in a land.c attack - how does
> he modify the packet to
> > reflect the victim's source and destination IP and
> then send it onto the
> > wire?
> >
> > -----Original Message-----
> > From: Fuchs Bernhard
> [mailto:Bernhard.Fuchs () itellium com]
> > Sent: Tuesday, November 05, 2002 5:58 AM
> > To: 'vijay vikram shreenivos';
> security-basics () securityfocus com
> > Subject: AW: Smurf ,land attacks
> >
> >
> > Hi there!
> >
> > with "IP spoofing" you give a different source
> address to the packet. the
> > address is different to your real address. You do
> this for cloaking your
> > scan or if company A scans company B and spoofes
> the address of company c.
> > so company b thinks it is company c scanning them!
> o.k.? but company a will
> > not get any results back! this is mostly to cloak
> your own scan.
> > Smurf is a DoS-Attack (denial of service)
> > You Amplifi your ping through a big network. You
> ping a subnet like
> > x.x.x.255 with an SPOOFED IP-Adress and every
> computer on that big net
> > responses to the poor little machine  that has the
> IP-Adress. Think of class
> > B subnet with a few hosts reply to a ADSL
> connected machine... 1500kb
> > download and 196 kb upload :-)
> >
> > land attack is a TCP SYN packet that has the ip
> address and port number for
> > the source set to the same as the ip address and
> port number for the
> > destination. the server connects to itself.
> >
> >
> > any comments?
> >
> > by the way, google knows it too :-)
> >
> > Mit freundlichen Grüßen/ sincerely yours
> >
> >
> > Bernhard Fuchs
> > Junior System-Engineer
> > IT-Infrastruktur
> >
> > ITELLIUM
> > Systems & Services GmbH
> > Fürther Straße 205
> > 90429 Nürnberg
> >
> > Tel.:   +49-911-14-27321
> > Fax:    +49-911-14-22016
> > mailto:bernhard.fuchs () itellium com
> > http://www.itellium.com
> >
> > This email is confidential. If you are not the
> intended recipient, you must
> > not disclose or use the information contained in
> it. If you have received
> > this mail in error, please tell us immediately by
> return email and delete
> > the document. E-mails to and from the company are
> monitored for operational
> > reasons and in accordance with lawful business
> practices. The contents of
> > this email are those of the individual and do not
> necessarily represent the
> > views of the company. The company accepts no
> responsibility once an e-mail
> > and any attachments is sent.
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: vijay vikram shreenivos
> [mailto:karpagamekapali () rediffmail com]
> > Gesendet: Samstag, 2. November 2002 08:15
> > An: security-basics () securityfocus com
> > Betreff: Smurf ,land attacks
> >
> >
> > Hi list,
> >
> >
> > Can someone give the EXACT differences btw
> >
> > SMURF
> > LAND
> > and IP soofing attacks.
> >
> > karpagamekapalidurgau
__________________________________________________________
> > Give your Company an email address like
> > ravi @ ravi-exports.com.  Sign up for Rediffmail
> Pro today!
> > Know more. http://www.rediffmailpro.com/signup/


__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com