Re: ipx storm

[fberzau () NOVELL COM (Frank Berzau)]

Hi Jacek,

You say Windows 95 would be vulnerable. I'd like to know which IPX Stack was installed on this machine and which 
NetWare Client software (MS' or Novell's and which version).

Also did you try running this against NetWare servers? If so which version(s)?

To answer your question about the "new NetWare", I assume you're talking about NetWare 5? NetWare 5 is NOT using IPX 
over IP, which would be any form of IPX tunneling, but NetWare 5 is using a re-architectured NCP design which uses 
winsock calls instead of direct calls into a specific protocol stack. What this means is that any NCP's can use IPX or 
IP transparently, depending on which protocol stack(s) are configured. A NetWare 5 server, be default, does not run IPX 
at all. Also the CMD (compatibility mode driver) which is loaded by default is only used for interoperability of 
NetWare Clients running CMD mode and the NetWare server running CMD. This does NOT pick up any raw IPX traffic (as the 
one your program is generating).

Regards, Frank

> > > Jacek Lipkowski <sq5bpf () ROCK ANDRA COM PL> 02.06.00 18.30 >>>
Hello,

The IPX protocol has samething called IPX ping. Sending a packet to
socket 0x456 to anything supporting ipx causes a response to be sent back.
If you send a packet with source and destination addresses set to the
ethernet broadcast address and source and destination socket set to 0x456
everything supporting ipx sends a reply to the broadcast address (and
after that they start talking to each other). The storm ends when all ipx
stacks die off (it can last a few minutes on a small network up to
probably an half hour on a large network). You can also set the source and
destination networks to have a broadcast storm between them (probably a
killer on large corporate WANs :) - but remember to set the destination
address to the router of the destination network.

This is really an old school DoS (kind of like sending udp packets with
the source=destination=ip broadcast address and setting the ports to echo
or chargen), only applied to ipx, so it should have been fixed by now.

I've attached some code i used to test this under linux (it can only spoof
802.2 and 802.3 packets, add other types if you wish). It's best to set
all addresses to broadcast and ipx networks to 0 (local ipx network) for
starters and fire off tcpdump to see the fun begin.

I don't know about the platforms affected - windows 9x seems to be
vulnerable, nt doesn't, probably dos clients running netx or vlm should be
affected as well (not tested). If you find another vulnerable platform
i would like to know.

Please use the attached program at your own risk, and don't hold me or my
employer (Andra Sp. z o.o.) liable to any damages.

Jacek Lipkowski

ps. I know nothing about ipx over ip in the new netware, so someone please
check if this can be used this way?

ps2. the program is badly written -- i'm aware of that :)

-----------------------------------------------------------------
Andra Network Integrator
ul. Wynalazek 6
02-677 Warsaw
Poland
mailto: office () andra com pl