Home page logo
/

basics logo Security Basics mailing list archives

Re: Smurf ,land attacks
From: Paulo Abrantes <ghostrider () box sk>
Date: Mon, 11 Nov 2002 22:19:26 +0000

Hello Vik,

What the attacker does is not allowing the Kernel to fill in the IP datagram 
from the packet he's spoofing, and filling it by himself/herself. 
How can (s)he do that? 
Well, the best way I know, and probably is the way that land.c (that you mention) 
uses (I do do not know the source of that program) is creating a RAW socket. 
Then using a function called setsocketop() enabling the option IP_HDRINCL which 
allows you to include your own IP Header. This way it's you that create the all
the IPheader including  IP Source Address.

For further information give a look at raw(7) man page.

Regards, 

P. Abrantes 

On Sat, 9 Nov 2002 13:10:11 -0700
"Vik Evans" <vevans () packeteye phxcoxmail com> wrote:

My question is this: how does an attacker accomplish modifying a packet and
sending it; such as in a land.c attack - how does he modify the packet to
reflect the victim's source and destination IP and then send it onto the
wire?

-----Original Message-----
From: Fuchs Bernhard [mailto:Bernhard.Fuchs () itellium com]
Sent: Tuesday, November 05, 2002 5:58 AM
To: 'vijay vikram shreenivos'; security-basics () securityfocus com
Subject: AW: Smurf ,land attacks


Hi there!

with "IP spoofing" you give a different source address to the packet. the
address is different to your real address. You do this for cloaking your
scan or if company A scans company B and spoofes the address of company c.
so company b thinks it is company c scanning them! o.k.? but company a will
not get any results back! this is mostly to cloak your own scan.

Smurf is a DoS-Attack (denial of service)
You Amplifi your ping through a big network. You ping a subnet like
x.x.x.255 with an SPOOFED IP-Adress and every computer on that big net
responses to the poor little machine  that has the IP-Adress. Think of class
B subnet with a few hosts reply to a ADSL connected machine... 1500kb
download and 196 kb upload :-)

land attack is a TCP SYN packet that has the ip address and port number for
the source set to the same as the ip address and port number for the
destination. the server connects to itself.


any comments?

by the way, google knows it too :-)

Mit freundlichen Grüßen/ sincerely yours


Bernhard Fuchs
Junior System-Engineer
IT-Infrastruktur

ITELLIUM
Systems & Services GmbH
Fürther Straße 205
90429 Nürnberg

Tel.:   +49-911-14-27321
Fax:    +49-911-14-22016
mailto:bernhard.fuchs () itellium com
http://www.itellium.com

This email is confidential. If you are not the intended recipient, you must
not disclose or use the information contained in it. If you have received
this mail in error, please tell us immediately by return email and delete
the document. E-mails to and from the company are monitored for operational
reasons and in accordance with lawful business practices. The contents of
this email are those of the individual and do not necessarily represent the
views of the company. The company accepts no responsibility once an e-mail
and any attachments is sent.



-----Ursprüngliche Nachricht-----
Von: vijay vikram shreenivos [mailto:karpagamekapali () rediffmail com]
Gesendet: Samstag, 2. November 2002 08:15
An: security-basics () securityfocus com
Betreff: Smurf ,land attacks


Hi list,


Can someone give the EXACT differences btw

SMURF
LAND
and IP soofing attacks.

karpagamekapalidurgau
__________________________________________________________
Give your Company an email address like
ravi @ ravi-exports.com.  Sign up for Rediffmail Pro today!
Know more. http://www.rediffmailpro.com/signup/




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]