Re: Smurf ,land attacks

[Paulo Abrantes <ghostrider () box sk>]

Hello Vik,

What the attacker does is not allowing the Kernel to fill in the IP datagram 
from the packet he's spoofing, and filling it by himself/herself. 
How can (s)he do that? 
Well, the best way I know, and probably is the way that land.c (that you mention) 
uses (I do do not know the source of that program) is creating a RAW socket. 
Then using a function called setsocketop() enabling the option IP_HDRINCL which 
allows you to include your own IP Header. This way it's you that create the all
the IPheader including  IP Source Address.

For further information give a look at raw(7) man page.

Regards, 

P. Abrantes 

On Sat, 9 Nov 2002 13:10:11 -0700
"Vik Evans" <vevans () packeteye phxcoxmail com> wrote:

> My question is this: how does an attacker accomplish modifying a packet and
> sending it; such as in a land.c attack - how does he modify the packet to
> reflect the victim's source and destination IP and then send it onto the
> wire?
>
> -----Original Message-----
> From: Fuchs Bernhard [mailto:Bernhard.Fuchs () itellium com]
> Sent: Tuesday, November 05, 2002 5:58 AM
> To: 'vijay vikram shreenivos'; security-basics () securityfocus com
> Subject: AW: Smurf ,land attacks
>
>
> Hi there!
>
> with "IP spoofing" you give a different source address to the packet. the
> address is different to your real address. You do this for cloaking your
> scan or if company A scans company B and spoofes the address of company c.
> so company b thinks it is company c scanning them! o.k.? but company a will
> not get any results back! this is mostly to cloak your own scan.
>
> Smurf is a DoS-Attack (denial of service)
> You Amplifi your ping through a big network. You ping a subnet like
> x.x.x.255 with an SPOOFED IP-Adress and every computer on that big net
> responses to the poor little machine  that has the IP-Adress. Think of class
> B subnet with a few hosts reply to a ADSL connected machine... 1500kb
> download and 196 kb upload :-)
>
> land attack is a TCP SYN packet that has the ip address and port number for
> the source set to the same as the ip address and port number for the
> destination. the server connects to itself.
>
>
> any comments?
>
> by the way, google knows it too :-)
>
> Mit freundlichen Grüßen/ sincerely yours
>
>
> Bernhard Fuchs
> Junior System-Engineer
> IT-Infrastruktur
>
> ITELLIUM
> Systems & Services GmbH
> Fürther Straße 205
> 90429 Nürnberg
>
> Tel.:   +49-911-14-27321
> Fax:    +49-911-14-22016
> mailto:bernhard.fuchs () itellium com
> http://www.itellium.com
>
> This email is confidential. If you are not the intended recipient, you must
> not disclose or use the information contained in it. If you have received
> this mail in error, please tell us immediately by return email and delete
> the document. E-mails to and from the company are monitored for operational
> reasons and in accordance with lawful business practices. The contents of
> this email are those of the individual and do not necessarily represent the
> views of the company. The company accepts no responsibility once an e-mail
> and any attachments is sent.
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: vijay vikram shreenivos [mailto:karpagamekapali () rediffmail com]
> Gesendet: Samstag, 2. November 2002 08:15
> An: security-basics () securityfocus com
> Betreff: Smurf ,land attacks
>
>
> Hi list,
>
>
> Can someone give the EXACT differences btw
>
> SMURF
> LAND
> and IP soofing attacks.
>
> karpagamekapalidurgau
> __________________________________________________________
> Give your Company an email address like
> ravi @ ravi-exports.com.  Sign up for Rediffmail Pro today!
> Know more. http://www.rediffmailpro.com/signup/