TCP/IP FLOODING
Reported October 13, 1997 by TFreak
Systems Affected
Any system employing TCP/IP
The Problem
The smurf attack is quite simple. It has a list of broadcast addresses which
it stores into an array, and sends a spoofed ICMP echo request to each of those
addresses in series and starts again. The result is a devistating attack upon
the spoofed IP. Depending on the amount of broadcast addresses used, many,
many computers may respond to the echo request.
This attack can EASILY saturate a T1 circuit, rendering it completely
useless.
HERE IS THE SMURF SOURCE CODE:
* $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $*
* spoofs icmp packets from a host to various broadcast addresses resulting
* in multiple replies to that host from a single packet.
* disclaimer:
* I cannot and will not be held responsible nor legally bound for the
* malicious activities of individuals who come into possession of this
* program and I refuse to provide help or support of any kind and do NOT
* condone use of this program to deny service to anyone or any machine.
* This is for educational use only. Please Don't abuse this.
* TFreak
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
[snip...]
/* stamp */
char id[] = "$Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $";
[snip...]
void usage (char *prog)
{
fprintf(stderr, "usage: %s "
" \n\n"
"target = address to hit\n"
"bcast file = file to read broadcast addresses from\n"
"num packets = number of packets to send (0 = flood)\n"
"packet delay = wait between each packet (in ms)\n"
"packet size = size of packet (< 1024)\n\n", prog);
exit(-1);
}
[snip...]
Stopping the Problem
MCI has a tool called DoSTracker that may help you track down Smurf users.
Additionally, there is an excellent resource document explaining this
attack in detail, and offering good
information on stopping it as best you can located HERE.
To learn more about new NT security concerns, subscribe to NTSD.
Credit:
Reported by TFreak
Posted here at NTSecurity.Net October 12, 1997
From hyped@ROO.UNIXNET.ORG Tue Oct 21 08:27:21 1997
Date: Mon, 13 Oct 1997 19:52:25 -0400
From: hyped
To: BUGTRAQ@NETSPACE.ORG
Subject: broadcast ip scanning script
T. Freak's posted his smurf code, and there's been a few messages
concerning this d.o.s. attack -- I guess now is a good of a time as any to
release this little script.
I'm sure there's a more efficient way of putting something like this
together, but... oh well. Results of the scan are reported into
./bips.results
note: this script has two parts.
--- bips.sh ---
#!/bin/bash
# find broadcast ip's that reply with 30+ dupes.
# i decided to make this script into two sections. when running this make
# sure both parts are in the same directory.
[snip...]
--- chekdup.sh ---
#!/bin/bash
# this checks possible broadcast ip's for a given amount of icmp echo
# replies.
[snip...]
|