Home page logo

basics logo Security Basics mailing list archives

Re: Smurf ,land attacks
From: Donnie Tognazzini <don_tog () yahoo com>
Date: Sat, 16 Nov 2002 23:03:53 -0800 (PST)

If you want full control of network read/writes use
libnet/libpcap.. have a look at tcpdump.org.. 

Using libnet/libpcap you can write directly to the

--- Paulo Abrantes <ghostrider () box sk> wrote:
Hello Vik,

What the attacker does is not allowing the Kernel to
fill in the IP datagram 
from the packet he's spoofing, and filling it by
How can (s)he do that? 
Well, the best way I know, and probably is the way
that land.c (that you mention) 
uses (I do do not know the source of that program)
is creating a RAW socket. 
Then using a function called setsocketop() enabling
the option IP_HDRINCL which 
allows you to include your own IP Header. This way
it's you that create the all
the IPheader including  IP Source Address.

For further information give a look at raw(7) man


P. Abrantes 

On Sat, 9 Nov 2002 13:10:11 -0700
"Vik Evans" <vevans () packeteye phxcoxmail com> wrote:

My question is this: how does an attacker
accomplish modifying a packet and
sending it; such as in a land.c attack - how does
he modify the packet to
reflect the victim's source and destination IP and
then send it onto the

-----Original Message-----
From: Fuchs Bernhard
[mailto:Bernhard.Fuchs () itellium com]
Sent: Tuesday, November 05, 2002 5:58 AM
To: 'vijay vikram shreenivos';
security-basics () securityfocus com
Subject: AW: Smurf ,land attacks

Hi there!

with "IP spoofing" you give a different source
address to the packet. the
address is different to your real address. You do
this for cloaking your
scan or if company A scans company B and spoofes
the address of company c.
so company b thinks it is company c scanning them!
o.k.? but company a will
not get any results back! this is mostly to cloak
your own scan.

Smurf is a DoS-Attack (denial of service)
You Amplifi your ping through a big network. You
ping a subnet like
x.x.x.255 with an SPOOFED IP-Adress and every
computer on that big net
responses to the poor little machine  that has the
IP-Adress. Think of class
B subnet with a few hosts reply to a ADSL
connected machine... 1500kb
download and 196 kb upload :-)

land attack is a TCP SYN packet that has the ip
address and port number for
the source set to the same as the ip address and
port number for the
destination. the server connects to itself.

any comments?

by the way, google knows it too :-)

Mit freundlichen Grüßen/ sincerely yours

Bernhard Fuchs
Junior System-Engineer

Systems & Services GmbH
Fürther Straße 205
90429 Nürnberg

Tel.:   +49-911-14-27321
Fax:    +49-911-14-22016
mailto:bernhard.fuchs () itellium com

This email is confidential. If you are not the
intended recipient, you must
not disclose or use the information contained in
it. If you have received
this mail in error, please tell us immediately by
return email and delete
the document. E-mails to and from the company are
monitored for operational
reasons and in accordance with lawful business
practices. The contents of
this email are those of the individual and do not
necessarily represent the
views of the company. The company accepts no
responsibility once an e-mail
and any attachments is sent.

-----Ursprüngliche Nachricht-----
Von: vijay vikram shreenivos
[mailto:karpagamekapali () rediffmail com]
Gesendet: Samstag, 2. November 2002 08:15
An: security-basics () securityfocus com
Betreff: Smurf ,land attacks

Hi list,

Can someone give the EXACT differences btw

and IP soofing attacks.


Give your Company an email address like
ravi @ ravi-exports.com.  Sign up for Rediffmail
Pro today!
Know more. http://www.rediffmailpro.com/signup/

Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]