Vulnerability Development mailing list archives
Re: Flood Attack
From: "J. Oquendo" <sil () ANTIOFFLINE COM>
Date: Mon, 28 Aug 2000 20:12:32 -0500
This is why my previous post might have seemed a bit impolite. Apologies. Now for the explanation of what the tool is meant to do, what it does and what it doesn't do. Upon reading up on BGP, OSPF, RIP, etc since I'm studying for CCNA/CCIE stuff I decided one day out of boredom to come up with attack scenarios on the router level such as a "What if this attack occurred" notion. Upon a review of BGP through RFC's various books, articles, postings, etc., it dawned on me that unless filtering is applied anyone can spoof packets as any router (childs play) Now neighbor's trust each other's data whetherthe payload is empty or not if its a valid neighbor (neighborA) then neighborB will listen. Simple enough, I'm not concerned with who has what filters, and ACL's or authentication in place, etc. My view on writing this was; If I sent neighborDEE bad data as neighborDUMB, somewhere down the line neighborDUMB is either going to a) crash using up uneccessary resources (imagine this attack distributed) b) lag to death and if logging was enabled... choke c) ignore neighborDEE (killing the neighbor connection) d) e-mail me a reply back with a relevant RFC showing me why this attack wouldn't work. This tool was theory based as in all of the stuff I threw on the theories in dos article. Should it be taken seriously? I believe so. While setting up a workstation to act as a router I managed to kill the connection between both neighbor's without any filtering. Why haven't I tested it on a live router? I think that question answers itself entirely. While I do have some routers I could test it on, I get busy with work and stuff so I didn't bother benchmarking anything. It was easier to compile Zebra on my two workstations and benchmark it there. Would it work on Cisco? Maybe so you have to keep in mind it still is sending data to a routers BGP port so somewhere down the line some resource is going to be used. If this were a distributed attack even f it were simply sending fscked up packets it still is a resource lost. Think of a trinoo like daemon with 5,000 hosts each sending you 64k packets at the rate of say 1,000 per second your looking at about 18,750,000k worth of traffic per minute, etc, etc somewhere down the line it shoud be enough to saturate your BGP network with trash which still may kill it. Who knows. I suggest testing out on your own and keeping in mind the fact this was released to a vulnerabilities development list. Not out of malice so there's no need to flame, offer me uber-krad DoS tools, or anything of that nature. Simply its meant to test the water, thats why I stated in the header "theory based." Zebra routing software used: www.zebra.org Theories in DoS paper: www.antioffline.com/TID/ -------------------------------------------------- Jesus Christ Disgruntled Postal Worker sil () deficiency org || www.deficiency.org sil () macroshaft org || www.macroshaft.org sil () antioffline com || www.antioffline.com PGP Fingerprinting FB96 1B34 ED52 73A0 AEA5 0D7C 671D 224B 889D 1540 "No enterprise is more likely to succeed than one concealed from the enemy until it is ripe for execution." Niccolo Machiavelli, The Prince 1521 0000 0011 0000 0001 0000 0011 0000 0011 0000 0111 On 29 Aug 2000, RazboiniK wrote:
I saw the code your publish in packetstorm and it look like mstream, and i copy the mstream code and i "ported" to win on may and put the attack in a plugin called girc for bo2k, it's loaded and i put some pc to flood a router and can take down the connection easily if the bandwitch is better than the one of the router but that to port 79 and you can take down almost any connection from any os i think, i probe in some it could do it, i have no much tools but my firewalls don't detect the attack excuse my poor english =) RazboiniK gAdAsT eNtErPrIsEs ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Re: Flood Attack J. Oquendo (Aug 28)
- Re: Flood Attack J Edgar Hoover (Aug 28)