| I l@ve RuBoard | |
Executing resource exhaustion is generally done by occupying so much of the available resources of a service, application, or operating system that it is not available to process further data. Usually, this calls for flooding the target with a great deal of useless traffic so that it cannot respond to other, legitimate traffic.
Client OS: Available as C code and also in a Linux-specific version
Target OS: TCP/IP networks
Description: The DoS tool Papasmurf is a modification of the original Smurf attack, which gained great fame as a DoS tool and even spawned a class of hackers, “Smurfs.” These Smurfs are generally novice hackers who attempt to flood their targets into submission with ICMP ECHO_REQUEST (broadcast ping) packets. Papasmurf incorporates UDP traffic as well. In this sense, it is a merge of Smurf and the Fraggle DoS tool, which uses only UDP traffic and is based on Smurf.
The command structure looks like this:
#> ./smurf5 <srcIP> <broadcast file> [options]
Where the options are:
| -p | Comma-separated list of target ports. |
| -r | Use target ports randomly. |
| -R | Use target and source ports randomly. |
| -s | Specify the source port (use the number 0 for a random port, which is default). |
| -P | Protocol to use (ICMP, UDP, or both). |
| -S | Packet size in bytes (default is 64). |
| -f | File name containing the packet data (this is optional). |
| -n | Number of packets to send (use 0 for continuous, which is default). |
| -d | Delay between packets in milliseconds (default is 10,000). |
Papasmurf allows hackers to specify target hosts along with a list of target ports, the number of continuous packets to send (specifying 0 causes continuous transmission), which protocols to use (ICMP, UDP, or both) and, optionally, a file to attach to the messages. The tool can also be configured to use randomly selected source and target ports. Further, the time between successive packets can be set. This attack can be an effective way to achieve the DoS condition in which the target is flooded with traffic and becomes unusable by regular users.
It is becoming more popular to find ICMP traffic blocked at firewalls as the risks associated with ICMP traffic are more recognized. Several programs have turned, in response, to flood target networks with Internet Group Management Protocol (IGMP) traffic.
Client OS: Available as C code (tested on Linux)
Target OS: Windows 98/95/NT/2000
Description: Trash2 floods the target with ICMP and IGMP packets from spoofed source addresses. This tool has been known to create DoS conditions even when run from a dial-up connection. It is executed with the following command:
#>./trash2 <target_IP> <# of packets>
When running this tool, the following lines are printed to the screen:
trash2.c – misteri0@unet [outlaw] Status: Connected....packets sent.
If the attack does not complete (for example, if the network connection is taken down while packets are being sent out), an error message will be shown. However, the status line does appear as shown even in instances when the target IP address doesn't exist.
Client OS: Available as C code (tested on Linux)
Target OS: TCP/IP networks
Description: As the name plainly states, Igmpofdeath.c uses IGMP messages to cause a DoS condition in the target. Igmpofdeath is based on Trash2 and incorporates the usage of type 2 IGMP packets from the DoS tools Pimp and Pimp2. The command to execute this attack is:
#>./igmpofdeath <target_IP> <# of packets>
We don't like to compare DoS tools with one another, but we have noticed that Igmpofdeath has been more effective than Trash2 when attacking Windows NT 4.0 machines with Service Patch 6 installed.
Client: Available as C code (tested on Linux)
Target OS: Windows 95/NT and Linux kernels
Description: Fawx incorporates the use of type 8 IGMP packets with fragmentation by sending oversized, fragmented IGMP packets. The cumulative effect of these large packet fragments is to cause the target to freeze (Windows targets) and/or to lag (Linux). When a target lags, so much of its processor has become occupied (in dealing with the DoS attack) that executing additional commands takes far longer than normal. The command to use Fawx is the following:
#>./fawx <srcIP> <target_IP> <# of packets>
While it may be tempting to enter the largest number of packets you could, it is wise to resist this temptation. You want to send an amount of traffic that your systems can handle and that will be successful in causing a DoS condition. And really, you don't want to send more. The more traffic you send, the more likely that your activity can be tracked and captured.
Blocking ICMP and IGMP traffic at the firewall or border router helps defend against these attacks. Additionally, the network can be configured not to respond to ping requests from external hosts; this limits the exposure to ICMP-based DoS attacks.
Client OS: Available as C code (tested on Linux)
Target OS: OpenBSD version 2.6 and earlier
Description: Attacking ARP is an up-and-coming means of performing DoS attacks. It has not gained a great deal of popularity yet because there are very few successful ARP-based DoS attack tools currently available. However, such tools are being developed as of this writing, including OBSD_fun. This is a DoS tool tailored for the OpenBSD operating system (version 2.6 and below). In truth, OpenBSD is a very safe, well-designed OS, and the particular issue exploited by OBSD_fun has been fixed in version 2.7.
The tool attempts to flood the ARP table past its memory, causing the system to freeze. This is done by flooding the target machine with spoofed packets at a rate of over 1,000 per second. The target tries to respond to these packets; however, since they do not exist, it winds up waiting, creating an entry in the ARP table. Once the ARP table is full, the system crashes.
This attack can be executed with the following command:
#> ./obsd_fun <target IP> <network> <count>
where target _IP is the IP address of the target, network is the first address of the network segment on which the target lies, and count is the number of hosts from which to spoof. We recommend you keep the count a high value, in the range of 65K.
This DoS attack can also be run from the local network. There is only one change to the above command:
#> ./obsd_fun <network> <count>
In this case, the spoofed packets are sent to random IP addresses within the network segment, whether they are valid IP addresses or not. This also causes the targets to fill up their ARP tables, trying to keep up with all the ARP-related traffic on the network.
A countermeasure for this DoS attack is to upgrade to the latest version of OpenBSD.
| I l@ve RuBoard | |