Re: Win2k & Linux DoS

[Vitaly McLain <twistah () DATASURGE NET>]

Hi,

I've played around with Bubonic.c and I have a few comments.

First of all, you should really test it over the Internet (or another WAN)
and not a LAN. This crashing may be due to an overload that will not occur
over the Net (or you will need some really good bandwith to accomplish it.)
What I am basically saying is we need to find out if this is a flaw in Win2k
TCP/IP stack or if it's just an issue similiar to a ping flood.

I did run a few tests with Bubonic. Over my 100mbps network, I flooded my
Windows NT 4.0 Workstation (SP5) box using:

bizkit:~# ./bubonic 192.168.1.2 192.168.1.23 1000 100000
Bubonic -- sil () antioffline com


Finding host
AntiOffline -- Putting the Hero in Heroin

The NT box is an AMD K6-2 400mhz / 64mb of RAM and the worst that did was
raise the CPU usage to around 6%.

Here is what it gets a little interesting. Setting the source address to the
same IP as the dest IP (192.168.1.2 this in case) makes the flood more
intense. My hub goes to around 25% utilization AND my CPU goes from 15% to
30% (it fluctuates). However it does not crash, and no real slowdown is
observed (though it would be more effective on slower systems.)

My suspicion is that your crash happened to to an overload because of the
flood. I've managed to accomplish the same thing before. I compiled an old
piece of source found on Packetstorm: killsentry.c. It is designed to send
FIN packets from basically every IP and simulate a portscan (thus Abacus
PortSentry would auto-block the entire Net). Anyway, that's not the point.
On a box without PortSentry, killsentry.c slowed it down significantly. But
this is just because it was a giant flood, and not a whole in the TCP/IP
implemintation. I think the same thing is happened here.

I could be wrong ;-)

Vitaly McLain
twistah () datasurge net
Hmm, $10 says I'll get at least 7 Out-of-Office replies...