Bugtraq mailing list archives
Re: ipx storm
From: fberzau () NOVELL COM (Frank Berzau)
Date: Mon, 5 Jun 2000 10:40:57 +0200
Hi Jacek, You say Windows 95 would be vulnerable. I'd like to know which IPX Stack was installed on this machine and which NetWare Client software (MS' or Novell's and which version). Also did you try running this against NetWare servers? If so which version(s)? To answer your question about the "new NetWare", I assume you're talking about NetWare 5? NetWare 5 is NOT using IPX over IP, which would be any form of IPX tunneling, but NetWare 5 is using a re-architectured NCP design which uses winsock calls instead of direct calls into a specific protocol stack. What this means is that any NCP's can use IPX or IP transparently, depending on which protocol stack(s) are configured. A NetWare 5 server, be default, does not run IPX at all. Also the CMD (compatibility mode driver) which is loaded by default is only used for interoperability of NetWare Clients running CMD mode and the NetWare server running CMD. This does NOT pick up any raw IPX traffic (as the one your program is generating). Regards, Frank
Jacek Lipkowski <sq5bpf () ROCK ANDRA COM PL> 02.06.00 18.30 >>>
Hello, The IPX protocol has samething called IPX ping. Sending a packet to socket 0x456 to anything supporting ipx causes a response to be sent back. If you send a packet with source and destination addresses set to the ethernet broadcast address and source and destination socket set to 0x456 everything supporting ipx sends a reply to the broadcast address (and after that they start talking to each other). The storm ends when all ipx stacks die off (it can last a few minutes on a small network up to probably an half hour on a large network). You can also set the source and destination networks to have a broadcast storm between them (probably a killer on large corporate WANs :) - but remember to set the destination address to the router of the destination network. This is really an old school DoS (kind of like sending udp packets with the source=destination=ip broadcast address and setting the ports to echo or chargen), only applied to ipx, so it should have been fixed by now. I've attached some code i used to test this under linux (it can only spoof 802.2 and 802.3 packets, add other types if you wish). It's best to set all addresses to broadcast and ipx networks to 0 (local ipx network) for starters and fire off tcpdump to see the fun begin. I don't know about the platforms affected - windows 9x seems to be vulnerable, nt doesn't, probably dos clients running netx or vlm should be affected as well (not tested). If you find another vulnerable platform i would like to know. Please use the attached program at your own risk, and don't hold me or my employer (Andra Sp. z o.o.) liable to any damages. Jacek Lipkowski ps. I know nothing about ipx over ip in the new netware, so someone please check if this can be used this way? ps2. the program is badly written -- i'm aware of that :) ----------------------------------------------------------------- Andra Network Integrator ul. Wynalazek 6 02-677 Warsaw Poland mailto: office () andra com pl
Current thread:
- Re: ipx storm Frank Berzau (Jun 05)