Re: bubonic.c -- random TCP segment DoS tool

[Andrew Griffiths <griffiths_a () scholar don tased edu au>]

Richard and Amy Bejtlich wrote:

> Hello,

G'day!

> As if we didn't have enough trouble deciphering traffic, I noticed a DoS
> tool which appeared at http://www.antioffline.com/ today called bubonic.c.
> All it does it send pseudo-random TCP traffic, but it could be enough to
> confuse intrusion detectors.  Here's a snapshot of some of the traffic:

<snip>

> You can see a full log captured here:  http://www.antioffline.com/logged
>
> You may noticed certain recurring traffic characteristics, like the sequence
> numbers, window sizes, and urg pointers.

Changing this is trivial. These values are initalised once, when ran again,
they should change. (I can't remember how it sets it random numbers up). And
from memory, these values should change infrequently. Of course it would make
the traffic even more psuedo-random.

> Now, imagine the responses from a machine hit by this DoS attempt,
> especially if the source addresses are spoofed and third party effects hit
> an innocent bystander!
>
> I expand on the "third party effect" problem in a paper available at
> http://bejtlich.net and
> http://securityfocus.com/data/library/nid_3pe_v1.pdf.
>
> Enjoy,
>
> Richard