Home page logo
/

Security Incidents mailing list archives

Re: bubonic.c -- random TCP segment DoS tool
From: Andrew Griffiths <griffiths_a () scholar don tased edu au>
Date: Tue, 29 Aug 2000 13:02:15 +1100

Richard and Amy Bejtlich wrote:

Hello,


G'day!


As if we didn't have enough trouble deciphering traffic, I noticed a DoS
tool which appeared at http://www.antioffline.com/ today called bubonic.c.
All it does it send pseudo-random TCP traffic, but it could be enough to
confuse intrusion detectors.  Here's a snapshot of some of the traffic:


<snip>


You can see a full log captured here:  http://www.antioffline.com/logged

You may noticed certain recurring traffic characteristics, like the sequence
numbers, window sizes, and urg pointers.


Changing this is trivial. These values are initalised once, when ran again,
they should change. (I can't remember how it sets it random numbers up). And
from memory, these values should change infrequently. Of course it would make
the traffic even more psuedo-random.


Now, imagine the responses from a machine hit by this DoS attempt,
especially if the source addresses are spoofed and third party effects hit
an innocent bystander!

I expand on the "third party effect" problem in a paper available at
http://bejtlich.net and
http://securityfocus.com/data/library/nid_3pe_v1.pdf.

Enjoy,

Richard


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]