Security Incidents mailing list archives
Re: bubonic.c -- random TCP segment DoS tool
From: Andrew Griffiths <griffiths_a () scholar don tased edu au>
Date: Tue, 29 Aug 2000 13:02:15 +1100
Richard and Amy Bejtlich wrote:
Hello,
G'day!
As if we didn't have enough trouble deciphering traffic, I noticed a DoS tool which appeared at http://www.antioffline.com/ today called bubonic.c. All it does it send pseudo-random TCP traffic, but it could be enough to confuse intrusion detectors. Here's a snapshot of some of the traffic:
<snip>
You can see a full log captured here: http://www.antioffline.com/logged You may noticed certain recurring traffic characteristics, like the sequence numbers, window sizes, and urg pointers.
Changing this is trivial. These values are initalised once, when ran again, they should change. (I can't remember how it sets it random numbers up). And from memory, these values should change infrequently. Of course it would make the traffic even more psuedo-random.
Now, imagine the responses from a machine hit by this DoS attempt, especially if the source addresses are spoofed and third party effects hit an innocent bystander! I expand on the "third party effect" problem in a paper available at http://bejtlich.net and http://securityfocus.com/data/library/nid_3pe_v1.pdf. Enjoy, Richard
Current thread:
- bubonic.c -- random TCP segment DoS tool Richard and Amy Bejtlich (Aug 28)
- Re: bubonic.c -- random TCP segment DoS tool Andrew Griffiths (Aug 29)