Security Incidents mailing list archives

bubonic.c -- random TCP segment DoS tool

From: Richard and Amy Bejtlich <bejtlich () SATX RR COM>
Date: Mon, 28 Aug 2000 18:26:08 -0500

Hello,

As if we didn't have enough trouble deciphering traffic, I noticed a DoS
tool which appeared at http://www.antioffline.com/ today called bubonic.c.
All it does it send pseudo-random TCP traffic, but it could be enough to
confuse intrusion detectors.  Here's a snapshot of some of the traffic:

02:44:42.824837 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: . [ECN-Echo]
741211499:741211519(20) win 65535 urg 27759 [tos 0x9a,ECT]
02:44:42.824960 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: R [ECN-Echo]
3:23(20) ack 4237932823 win 65535 [tos 0x9a,ECT]
02:44:42.825086 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: FP 4:24(20)
ack 306810104 win 65535 urg 27759 [tos 0x9a,ECT]
02:44:42.825211 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: FRP
741211502:741211522(20) win 65535 urg 27759 [tos 0x9a,ECT]
02:44:42.825333 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: . [ECN-Echo]
6:26(20) ack 659589464 win 65535 [tos 0x9a,ECT]
02:44:42.825459 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: F
[ECN-Echo,CWR] 741211504:741211524(20) win 65535 [tos 0x9a,ECT]
02:44:42.825583 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: SFR
[ECN-Echo,CWR] 741211505:741211525(20) ack 1685759809 win 65535 urg 27759
[tos 0x9a,ECT]
02:44:42.825715 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: P [CWR]
741211506:741211526(20) win 65535 [tos 0x9a,ECT]
02:44:42.825839 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: SP
741211507:741211527(20) win 65535 urg 27759 [tos 0x9a,ECT]
02:44:42.825960 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: SFRP
[ECN-Echo,CWR] 741211508:741211528(20) ack 1384220876 win 65535 urg 27759
[tos 0x9a,ECT]
...and so on...

You can see a full log captured here:  http://www.antioffline.com/logged

You may noticed certain recurring traffic characteristics, like the sequence
numbers, window sizes, and urg pointers.

Now, imagine the responses from a machine hit by this DoS attempt,
especially if the source addresses are spoofed and third party effects hit
an innocent bystander!

I expand on the "third party effect" problem in a paper available at
http://bejtlich.net and
http://securityfocus.com/data/library/nid_3pe_v1.pdf.

Enjoy,

Richard

Current thread:

bubonic.c -- random TCP segment DoS tool Richard and Amy Bejtlich (Aug 28)
- Re: bubonic.c -- random TCP segment DoS tool Andrew Griffiths (Aug 29)