Full Disclosure mailing list archives
little proof-of-concept for remote traffic statistics using the IP ID field
From: Jann Horn <jann () thejh net>
Date: Fri, 24 May 2013 01:45:25 +0200
Hello, I built a small C helper for remotely generating traffic statistics using the IP ID field. Well, hping3 does all the interesting stuff. This program will just, every five minutes, send 20 SYN packets in intervals of 100ms to port 80 of the target machine, then sum up the ID differences and output a line with the current unix time and the number of packets the remote machine seems to have sent during the two seconds of measuring. Basically, this program samples a remote machine's packet sending rate using short bursts of SYNs. Only if the other machine uses one global incrementing IP ID counter, of course. This is meant to be an educational tool, which is also why it just uses SYN packets, making this seem to the other side as if someone's stealth-scanning their port 80 over and over again. Not exactly the stealthiest way to do this, but sufficient for demonstration purposes. Usage: - install hping3 (or install hping2 and change hping3 in the source to hping2) - compile - run for some period of time (maybe 24h?) like this: ./rg <IP> > traffic_stats - plot output using gnuplot or so (start gnuplot, then do plot "traffic_stats" using 1:2 Well, not exactly rocket science and I'm pretty sure most people here already know the principle and could write something like this in a few minutes, but I thought I'd share it anyway. Probably useful for demonstrating why IP ID flags are something you might not want to be globally sequential unless you don't care about giving your traffic stats to the whole world. Because graphs are good at demonstrating stuff. :) The code is attached and also at <http://git.thejh.net/?p=roguegraph.git;a=tree>. I'm not responsible for whatever you do with this or whatever effects it has.
Attachment:
rg.c
Description:
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- little proof-of-concept for remote traffic statistics using the IP ID field Jann Horn (May 23)