Bugtraq mailing list archives
ipx storm
From: sq5bpf () ROCK ANDRA COM PL (Jacek Lipkowski)
Date: Fri, 2 Jun 2000 18:30:13 +0200
Hello, The IPX protocol has samething called IPX ping. Sending a packet to socket 0x456 to anything supporting ipx causes a response to be sent back. If you send a packet with source and destination addresses set to the ethernet broadcast address and source and destination socket set to 0x456 everything supporting ipx sends a reply to the broadcast address (and after that they start talking to each other). The storm ends when all ipx stacks die off (it can last a few minutes on a small network up to probably an half hour on a large network). You can also set the source and destination networks to have a broadcast storm between them (probably a killer on large corporate WANs :) - but remember to set the destination address to the router of the destination network. This is really an old school DoS (kind of like sending udp packets with the source=destination=ip broadcast address and setting the ports to echo or chargen), only applied to ipx, so it should have been fixed by now. I've attached some code i used to test this under linux (it can only spoof 802.2 and 802.3 packets, add other types if you wish). It's best to set all addresses to broadcast and ipx networks to 0 (local ipx network) for starters and fire off tcpdump to see the fun begin. I don't know about the platforms affected - windows 9x seems to be vulnerable, nt doesn't, probably dos clients running netx or vlm should be affected as well (not tested). If you find another vulnerable platform i would like to know. Please use the attached program at your own risk, and don't hold me or my employer (Andra Sp. z o.o.) liable to any damages. Jacek Lipkowski ps. I know nothing about ipx over ip in the new netware, so someone please check if this can be used this way? ps2. the program is badly written -- i'm aware of that :) ----------------------------------------------------------------- Andra Network Integrator ul. Wynalazek 6 02-677 Warsaw Poland mailto: office () andra com pl <HR NOSHADE> <UL> <LI>TEXT/PLAIN attachment: ipxstorm.c </UL>
Current thread:
- Re: IBM HTTP SERVER / APACHE typo () INFERNO TUSCULUM EDU (Jun 01)
- <Possible follow-ups>
- Re: IBM HTTP SERVER / APACHE H D Moore (Jun 01)
- Re: IBM HTTP SERVER / APACHE Luke Harless (Jun 01)
- Security Administration comes to LISA 2000 Cat Okita (Jun 01)
- Remote DoS attack in RealServer: USSR-2000043 David Cotter (Jun 01)
- ipx storm Jacek Lipkowski (Jun 02)
- Microsoft Security Bulletin (MS00-032) Microsoft Product Security (Jun 02)
- Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Ussr Labs (Aug 02)
- Piranha password file frostman () SECUREACCESS INTRANETS COM (Jun 02)
- Re: Piranha password file arkth (Jun 08)
- Re: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Alfred Perlstein (Jun 02)
- New Allaire Security Zone Bulletins Aleph One (Jun 08)
- Re: IBM HTTP SERVER / APACHE . Hecix (Jun 02)
- Re: IBM HTTP SERVER / APACHE Marc Slemko (Jun 03)