Re: Smurf ,land attacks

[j mattox <security () wirerats org>]

In-Reply-To: <001c01c2882c$53eec250$0f64640a () packeteye com>

I believe that this can be done with tools such as dsniff.  In = 
addition, any 
attack which uses ICMP protocol can easily be spoofed simply by writing = 
a 
small script.  For example, using ping alone you can do the following = 
by 
using the dummy module for linux: 

/sbin/insmod -o dummy /lib/modules/[kernel 
version]/kernel/drivers/net/dummy0 

/sbin/ifconfig dummy up 10.10.10.10 ( or any address) 

ping -I 10.10.10.10 [hostname to send packets to] -P [packetsize] 

wolla! 
It will send a custom packetsize to the specified hostname.  Keep in = 
mind 
this is strictly for ICMP traffic. 

Hope this helps! 

jm 
Wirerats Network Security, Inc. 


> My question is this: how does an attacker accomplish modifying a packet 
and
> sending it; such as in a land.c attack - how does he modify the packet to
> reflect the victim's source and destination IP and then send it onto the
> wire?
>
> -----Original Message-----
> From: Fuchs Bernhard [mailto:Bernhard.Fuchs () itellium com]
> Sent: Tuesday, November 05, 2002 5:58 AM
> To: 'vijay vikram shreenivos'; security-basics () securityfocus com
> Subject: AW: Smurf ,land attacks
>
>
> Hi there!
>
> with "IP spoofing" you give a different source address to the packet. the
> address is different to your real address. You do this for cloaking your
> scan or if company A scans company B and spoofes the address of company 
c.
> so company b thinks it is company c scanning them! o.k.? but company a 
will
> not get any results back! this is mostly to cloak your own scan.
>
> Smurf is a DoS-Attack (denial of service)
> You Amplifi your ping through a big network. You ping a subnet like
> x.x.x.255 with an SPOOFED IP-Adress and every computer on that big net
> responses to the poor little machine  that has the IP-Adress. Think of 
class
> B subnet with a few hosts reply to a ADSL connected machine... 1500kb
> download and 196 kb upload :-)
>
> land attack is a TCP SYN packet that has the ip address and port number 
for
> the source set to the same as the ip address and port number for the
> destination. the server connects to itself.
>
>
> any comments?
>
> by the way, google knows it too :-)
>
> Mit freundlichen Grüßen/ sincerely yours
>
>
> Bernhard Fuchs
> Junior System-Engineer
> IT-Infrastruktur
>
> ITELLIUM
> Systems & Services GmbH
> Fürther Straße 205
> 90429 Nürnberg
>
> Tel.:   +49-911-14-27321
> Fax:    +49-911-14-22016
> mailto:bernhard.fuchs () itellium com
> http://www.itellium.com
>
> This email is confidential. If you are not the intended recipient, you 
must
> not disclose or use the information contained in it. If you have received
> this mail in error, please tell us immediately by return email and delete
> the document. E-mails to and from the company are monitored for 
operational
> reasons and in accordance with lawful business practices. The contents of
> this email are those of the individual and do not necessarily represent 
the
> views of the company. The company accepts no responsibility once an e-
mail
> and any attachments is sent.
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: vijay vikram shreenivos [mailto:karpagamekapali () rediffmail com]
> Gesendet: Samstag, 2. November 2002 08:15
> An: security-basics () securityfocus com
> Betreff: Smurf ,land attacks
>
>
> Hi list,
>
>
> Can someone give the EXACT differences btw
>
> SMURF
> LAND
> and IP soofing attacks.
>
> karpagamekapalidurgau
> __________________________________________________________
> Give your Company an email address like
> ravi @ ravi-exports.com.  Sign up for Rediffmail Pro today!
> Know more. http://www.rediffmailpro.com/signup/