Security Incidents mailing list archives
bubonic.c -- random TCP segment DoS tool
From: Richard and Amy Bejtlich <bejtlich () SATX RR COM>
Date: Mon, 28 Aug 2000 18:26:08 -0500
Hello, As if we didn't have enough trouble deciphering traffic, I noticed a DoS tool which appeared at http://www.antioffline.com/ today called bubonic.c. All it does it send pseudo-random TCP traffic, but it could be enough to confuse intrusion detectors. Here's a snapshot of some of the traffic: 02:44:42.824837 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: . [ECN-Echo] 741211499:741211519(20) win 65535 urg 27759 [tos 0x9a,ECT] 02:44:42.824960 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: R [ECN-Echo] 3:23(20) ack 4237932823 win 65535 [tos 0x9a,ECT] 02:44:42.825086 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: FP 4:24(20) ack 306810104 win 65535 urg 27759 [tos 0x9a,ECT] 02:44:42.825211 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: FRP 741211502:741211522(20) win 65535 urg 27759 [tos 0x9a,ECT] 02:44:42.825333 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: . [ECN-Echo] 6:26(20) ack 659589464 win 65535 [tos 0x9a,ECT] 02:44:42.825459 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: F [ECN-Echo,CWR] 741211504:741211524(20) win 65535 [tos 0x9a,ECT] 02:44:42.825583 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: SFR [ECN-Echo,CWR] 741211505:741211525(20) ack 1685759809 win 65535 urg 27759 [tos 0x9a,ECT] 02:44:42.825715 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: P [CWR] 741211506:741211526(20) win 65535 [tos 0x9a,ECT] 02:44:42.825839 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: SP 741211507:741211527(20) win 65535 urg 27759 [tos 0x9a,ECT] 02:44:42.825960 xxx.xxx.xxx.xxx.15964 > xxx.xxx.xxx.xxx.40609: SFRP [ECN-Echo,CWR] 741211508:741211528(20) ack 1384220876 win 65535 urg 27759 [tos 0x9a,ECT] ...and so on... You can see a full log captured here: http://www.antioffline.com/logged You may noticed certain recurring traffic characteristics, like the sequence numbers, window sizes, and urg pointers. Now, imagine the responses from a machine hit by this DoS attempt, especially if the source addresses are spoofed and third party effects hit an innocent bystander! I expand on the "third party effect" problem in a paper available at http://bejtlich.net and http://securityfocus.com/data/library/nid_3pe_v1.pdf. Enjoy, Richard
Current thread:
- bubonic.c -- random TCP segment DoS tool Richard and Amy Bejtlich (Aug 28)
- Re: bubonic.c -- random TCP segment DoS tool Andrew Griffiths (Aug 29)