Re: Flood Attack

["J. Oquendo" <sil () ANTIOFFLINE COM>]

This is why my previous post might have seemed a bit impolite.

Apologies.

Now for the explanation of what the tool is meant to do, what it does and
what it doesn't do.

Upon reading up on BGP, OSPF, RIP, etc since I'm studying for CCNA/CCIE
stuff I decided one day out of boredom to come up with attack scenarios on
the router level such as a "What if this attack occurred" notion.

Upon a review of BGP through RFC's various books, articles, postings,
etc., it dawned on me that unless filtering is applied anyone can spoof
packets as any router (childs play)

Now neighbor's trust each other's data whetherthe payload is empty or not
if its a valid neighbor (neighborA) then neighborB will listen. Simple
enough, I'm not concerned with who has what filters, and ACL's or
authentication in place, etc.

My view on writing this was; If I sent neighborDEE bad data as
neighborDUMB, somewhere down the line neighborDUMB is either going to

a) crash using up uneccessary resources (imagine this attack distributed)
b) lag to death and if logging was enabled... choke
c) ignore neighborDEE (killing the neighbor connection)
d) e-mail me a reply back with a relevant RFC showing me why this attack
wouldn't work.

This tool was theory based as in all of the stuff I threw on the theories
in dos article. Should it be taken seriously? I believe so. While setting
up a workstation to act as a router I managed to kill the connection
between both neighbor's without any filtering.

Why haven't I tested it on a live router? I think that question answers
itself entirely. While I do have some routers I could test it on, I get
busy with work and stuff so I didn't bother benchmarking anything. It was
easier to compile Zebra on my two workstations and benchmark it there.

Would it work on Cisco? Maybe so you have to keep in mind it still is
sending data to a routers BGP port so somewhere down the line some
resource is going to be used. If this were a distributed attack even f it
were simply sending fscked up packets it still is a resource lost.

Think of a trinoo like daemon with 5,000 hosts each sending you 64k
packets at the rate of say 1,000 per second your looking at about
18,750,000k worth of traffic per minute, etc, etc somewhere down the
line it shoud be enough to saturate your BGP network with trash which
still may kill it. Who knows.

I suggest testing out on your own and keeping in mind the fact this was
released to a vulnerabilities development list. Not out of malice so
there's no need to flame, offer me uber-krad DoS tools, or anything of
that nature. Simply its meant to test the water, thats why I stated in the
header "theory based."

Zebra routing software used:    www.zebra.org
Theories in DoS paper:          www.antioffline.com/TID/
--------------------------------------------------
Jesus Christ
Disgruntled Postal Worker

sil () deficiency org  || www.deficiency.org
sil () macroshaft org  || www.macroshaft.org
sil () antioffline com || www.antioffline.com

PGP Fingerprinting
FB96 1B34 ED52 73A0 AEA5  0D7C 671D 224B 889D 1540

"No enterprise is more likely to succeed than one
concealed from the enemy until it is ripe for
execution."  Niccolo Machiavelli, The Prince 1521

0000 0011 0000 0001 0000 0011 0000 0011 0000 0111


On 29 Aug 2000, RazboiniK wrote:

> I saw the code your publish in packetstorm and it look like mstream, and i
> copy the mstream code and i "ported" to win on may and put the attack in a
> plugin called girc for bo2k, it's loaded and i put some pc to flood a router
> and can take down the connection easily if the bandwitch is better than the
> one of the router but that to port 79 and you can take down almost any
> connection from any os i think, i probe in some it could do it, i have no much
> tools but my firewalls don't detect the attack
> excuse my poor english
> =)
>
>
>     RazboiniK
> gAdAsT eNtErPrIsEs
>
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1