RE: Bubonic DoS tool

From: Yonatan Bokovza (Yonatan@xpert.com)
Date: Tue Mar 11 2003 - 05:09:40 EST

Next message: Indian Tiger: "RE: Bubonic DoS tool"
Previous message: mike Hughes: "A little Help with Pen Testing My systems!"
Maybe in reply to: Indian Tiger: "Bubonic DoS tool"
Next in thread: Indian Tiger: "RE: Bubonic DoS tool"
Reply: Indian Tiger: "RE: Bubonic DoS tool"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: Indian Tiger [mailto:indiantiger@mailandnews.com]
> Sent: Thursday, February 06, 2003 18:43
> To: pen-test@securityfocus.com
> Cc: sil@antioffline.com
> Subject: Bubonic DoS tool
>
>
> Hi All,
>
> I was testing the "Bubonic.c lame DoS against Windows 2000
> machines and
> certain versions of Linux in a test scenario over Linux 8.0.
> I have compiled
> it's source code and running it's binary as follows:
> # ./bubonic 10.3.10.22 10.3.8.70 100 1000
> On executing the above command, there was no observable
> immediate effect,
> but the Hub was showing the collisions (which were the Red
> Steady). Etherial
> shows the packets routed to desination.
> But after executing the command the destination machine must be
> blocked/freeze, but it's not happening.

The code is very easy to understand. The "interesting" part is
in flooder(), my comments inline:

void flooder(void)
{
...
    packet.ip.ip_p = IPPROTO_TCP;
    packet.ip.ip_tos = rand();
...
    packet.tcp.th_flags = random();
    packet.tcp.th_win = 65535;
    packet.tcp.th_seq = random();
    packet.tcp.th_ack = 0;
    packet.tcp.th_off = 0;
    packet.tcp.th_urp = random();
    packet.tcp.th_dport = random();
...
    cksum.pseudo.ptcl = IPPROTO_TCP;
    cksum.pseudo.tcpl = random();
...
    for(i=0;;++i) {
...
       if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0);
    }
}

To sum up and simplify, this sends TCP packets with bad header.
As a result, my unpatched win2k's CPU graph stays over 90%
in the kernel, causing Albinoni to sound bad.

Best Regards,

Yonatan Bokovza
IT Security Consultant
Xpert Systems

----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html

Next message: Indian Tiger: "RE: Bubonic DoS tool"
Previous message: mike Hughes: "A little Help with Pen Testing My systems!"
Maybe in reply to: Indian Tiger: "Bubonic DoS tool"
Next in thread: Indian Tiger: "RE: Bubonic DoS tool"
Reply: Indian Tiger: "RE: Bubonic DoS tool"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:30 EDT