Dos/smurf/icmp/tcpdump/snmp-mib2

Dos/smurf/icmp/tcpdump/snmp-mib2

Post by Qiming H » Sun, 03 Feb 2002 06:13:50



Hi guys:

I am trying to see how a smurf-like ICMP broadcast flooder works  (from
site)
http://www.cotse.com/dos.htm

Both the attack and victim are Redhat Linux 7.1 boxes (kernel 2.4)
in the same subnet (192.168.1.0)

I create a broadcast file
% echo "192.168.1.255" > bcast
and run smurf in 192.168.250 to attack 192.168.1.100
%./smurf 192.168.1.100 bcast 0 1 100

(FYI: smurf.c v4.0 by TFreak
 usage: ./smurf <target> <bcast file> <num packets> <packet delay> <packet
size>
target        = address to hit
bcast file    = file to read broadcast addresses from
num packets   = number of packets to send (0 = flood)
packet delay  = wait between each packet (in ms)
packet size   = size of packet (< 1024)
)

I run tcpdump at 192.168.1.100 (victim)
%tcpdump icmp
and get sth. like %tcpdump icmp
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket
tcpdump: listening on all devices
14:26:10.668147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.688147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.708147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.728147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.748147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request

Question: Why is there no echo reply. I also checked SNMP MIB entry
.iso.org.dod.internet.mgmt.mib-2.icmp.icmpInMsgs
It is not incremented.

FYI: I checked
/proc/sys/net/ipv4/icmp_echo_ignore_all
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

ALL 0 that means I am NOT ignoring any boradcast packets
I verify it by checking
%ping -f 192.168.1.100
I do get a  lot of echo replies like:
15:54:33.098147 eth1 < 192.168.1.100 > 192.168.1.82: icmp: echo request
15:54:33.118147   lo > 192.168.1.100 > 192.168.1.100: icmp: echo request
(DF)
15:54:33.118147   lo < 192.168.1.100 > 192.168.1.100: icmp: echo request
(DF)
15:54:33.118147   lo > 192.168.1.100 > 192.168.1.100: icmp: echo reply (DF)
15:54:33.118147   lo < 192.168.1.100 > 192.168.1.100: icmp: echo reply (DF)
15:54:33.118147   lo > 192.168.1.100 > 192.168.1.100: icmp: echo request
(DF)

and SNMP-ICMP entry also incremented.

Question: whatelse do I need to do to make smurf really "works"?

many thanks

 
 
 

Dos/smurf/icmp/tcpdump/snmp-mib2

Post by RainbowHa » Sun, 03 Feb 2002 18:26:31


< Qiming He
8<

Quote:>Both the attack and victim are Redhat Linux 7.1 boxes (kernel 2.4)
>in the same subnet (192.168.1.0)
8<
>Question: Why is there no echo reply. 8<
>Question: whatelse do I need to do to make smurf really "works"?

You need one more PC or router at your experimental environment.
Smurf attack need amplifiers (loose setting routers).

attacker
 |
 |     spoofed SRC IP=victim
 |     ICMP echo request
 V
amplifiers, amplifiers, ...
 |
 |     many ICMP echo reply
 V
victim

If there are no loose admins (no loose setting routers), smurf attack
have only historical value. You can run in experimental environment
for research purpose. Don't run the real network.

--
Best Regards,
RainbowHat. I support FULL DISCLOSURE.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7