Juggling with packets

[Bartlomiej Szymanski <baartt () baartt com>]

Hello,

I was trying to realize in practice the part (Class B data storage: disk 
queue) W. Purczynski and M. Zalewski described in juggling_with_packets.txt.

"An example attack scenario:

  1. The user builds a list of SMTP servers (perhaps ones that provide
     a reasonable expectation of being beyond the reach of his foes),

  2. The user blocks (with block/drop, not reject) all incoming
     connections to his port 25.

  3. For each server, the attacker has to confirm its delivery timeouts
     and the IP from which the server connects back while trying to
     return a bounce. This is done by sending an appropriate probe to
     an address local to the server (or requesting a DSN notification
     for a valid address) and checking how long the server tries to
     connect back before giving up. The server does not have to be an
     open relay.

  4. After confirming targets, the attacker starts sending data at
     a pace chosen so that the process is spread evenly over the
     period of one week. The data should be divided so that there
     is one chunk per each server. Every chunk is sent to a separate
     server to immediately generate a bounce back to the sender.

  5. The process of maintaining the data boils down to accepting
     an incoming connection and receiving the return at most a week
     from the initial submission, just before the entry is about
     to be removed from the queue. This is done by allowing this
     particular server to go thru the firewall. Immediately after
     receiving a chunk, it is relayed back.

  6. To access any portion of data, the attacker has to look up which
     MTA is holding this specific block, then allow this IP to connect
     and deliver the bounce. There are three possible scenarios:

     - If the remote MTA supports ETRN command, the delivery can be
       induced immediately,

     - If the remote MTA was in the middle of a three-minute run in
       attempt to connect to a local system (keeps retrying thanks to
       the fact its SYN packets are dropped, not rejected with RST+ACK),
       the connection can be established in a matter of seconds,

     - Otherwise, it is necessary to wait between 5 minutes and
       an hour, depending on queue settings."



Did anyone actually acomplished this goal? Any luck?
I need to realize this scenario attack, because I need it to my Master 
Thesis.
If you have any suggestions, just email me.

Regards,
Bartek Szymanski

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/