Re: Windows DoS code (jolt2.c)

[mikael.olsson () ENTERNET SE (Mikael Olsson)]

Phonix Monkey wrote:
> An interesting side note is that minor changes to this packet cause
> NT4/Win2k (maybe others, not tested) memory use to jump
> *substantially* (+70 meg non-paged-pool on a machine with 196 mb
> phys).

Hi again Phonix!
(Yes, I'm done picking your PoC code to pieces now :-)

First: I tried introducing a delay in the send loop. Sending less
than 200 packets per second didn't do much for CPU load, but over
300 pps completely locked the victim machines (NT4/SP6 and W2K).
(Without the delay in place, I only ended up freezing the
switch connecting the attacker to the target :-P )

Second: What's this "minor change" that you describe? It'd
be really interesting to see what it is, since jolt2.c currently
is only "effective" for the duration of the attack. If the victim
machine could be made to consume lots of RAM, it'd be "more
effective".

Regards,
Mikael Olsson

--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-29 92 00         Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se