Vulnerability Development mailing list archives

DOS in Win2k/XP in LAN

From: <sekure () hadrion com br>
Date: Tue, 18 Jun 2002 08:47:58 -0300
Hi Guys,

I noted that win2k/XP and some winME arrived with a little more of secure in
DOS. :)))

I belived that it was something like in linux, that check the source of
packages. If source exist it process the package... else is dropped, am i
correct ? :)

Then i try a simple opentear in a windows 98... and the attack was:

05:36:44.098207 20.0.0.0.20 > 192.168.151.13.12:  udp 0 (frag 1:8@0+)
05:36:44.098302 20.0.0.0.20 > 192.168.151.13.12:  udp 0 (frag 2:8@0+)
05:36:44.098384 20.0.0.0.20 > 192.168.151.13.12:  udp 0 (frag 3:8@0+)
05:36:44.100777 20.0.0.0.20 > 192.168.151.13.12:  udp 0 (frag 4:8@0+)
05:36:44.100889 20.0.0.0.20 > 192.168.151.13.12:  udp 0 (frag 5:8@0+)
05:36:44.100965 20.0.0.0.20 > 192.168.151.13.12:  udp 0 (frag 6:8@0+)
05:36:44.101045 20.0.0.0.20 > 192.168.151.13.12:  udp 0 (frag 7:8@0+)
05:36:44.101125 20.0.0.0.20 > 192.168.151.13.12:  udp 0 (frag 8:8@0+)
05:36:44.101201 20.0.0.0.20 > 192.168.151.13.12:  udp 0 (frag 9:8@0+)
05:36:44.101281 20.0.0.0.20 > 192.168.151.13.12:  udp 0 (frag 10:8@0+)
05:36:44.101358 30.0.0.0.30 > 192.168.151.13.daytime:  udp 0 (frag 11:8@0+)
05:36:44.101519 30.0.0.0.30 > 192.168.151.13.daytime:  udp 0 (frag 12:8@0+)
05:36:44.101596 30.0.0.0.30 > 192.168.151.13.daytime:  udp 0 (frag 13:8@0+)
05:36:44.101715 30.0.0.0.30 > 192.168.151.13.daytime:  udp 0 (frag 14:8@0+)

And i can't get packages from 192.168.151.13 ... it crashes... very fast! :)

Then i tryed in a winXP ... and received this traffic:

05:31:46.811094 192.168.151.183 > 110.0.0.0: icmp: ip reassembly time
exceeded
05:31:46.811932 192.168.151.183 > 110.0.0.0: icmp: ip reassembly time
exceeded
05:31:46.812238 192.168.151.183 > 110.0.0.0: icmp: ip reassembly time
exceeded
05:31:46.812518 192.168.151.183 > 110.0.0.0: icmp: ip reassembly time
exceeded
05:31:46.812665 192.168.151.183 > 110.0.0.0: icmp: ip reassembly time
exceeded
05:31:46.812809 192.168.151.183 > 20.0.0.0: icmp: ip reassembly time
exceeded
05:31:46.812956 192.168.151.183 > 20.0.0.0: icmp: ip reassembly time
exceeded
05:31:46.813100 192.168.151.183 > 20.0.0.0: icmp: ip reassembly time
exceeded

Why it's happend ?? Because they try to resolve the address 110.0.0.0 or
200.0.0.0 and the time to resolve exceeded ??

Why i can't see the resolution request from 192.168.151.183 ??

I was thinking...  if i write a code that before of send the attack send
packages with the resolution (MAC of ip/arp resolution) and then the
attack... it will work in win2k/xp ? :))

If i'm not wrong the arp table ... can change in distinct OS in a time
between 30 sec / 2min. If i re-send this resolution in 29sec is the
sufficient to affect all OS in a lan... including Linux, not ? :)

If someone know some code, or project that do someting like.. please send
me.

Or if someone know other project that make the something, but based in other
idea... please send me a URL. :)

Thkz  a lot.

Best Regards.

[ ]'s
Current thread:

tracesex.pl : TrACESroute 6.0 GOLD local format string exploit thc [@drug.org] (Jun 17)
- DOS in Win2k/XP in LAN sekure (Jun 18)