|
ru.nethack
- RU.NETHACK -------------------------------------------------------------------
From : NiK 2:5020/968.79 28 Apr 2000 14:01:19
To : Abrasha Shapirus
Subject : DoS
--------------------------------------------------------------------------------
AS> что такое DoS-атака?
AS> а то говоpят все..
Denial Of Service Attacks
These Denial of Service Programs are provided so system administrator's can test
their own systems for vulnerabilities. By downloading these programs, you assume
full responsibility for any damage that their use may cause. The Denial of
Service source co
d
es below are "unix to unix" or "unix to windows".
For Microsoft Windows NT, installing the latest Service Pack will protect you
from most of these attacks. For linux, it is recommended that you install the
latest kernel
tfn2k.tgz
tfn.tgz
trinoo.tgz
Ping of Death
IP packets as per RFC-791 can be up to 65,535 (2^16-1) octets long, which
includes the header length (typically 20 octets if no IP options are specified).
Packets that are bigger than the maximum size the underlying layer can handle
(the MTU) are fragmented into smaller packets,
which are then reassembled by the receiver.
ping -l 65510 the.host.ip.address
Jolt/SSPING
SSPING/Jolt is a program which effectively will freeze of almost any Windows95
or Windows NT connection. It's based on old code which freezes old SysV and
Posix implementations.
It works basically by sending a series of spoofed & fragmented ICMP packets to
the target, which build up to be a 64k ping, and Windows95/NT then ceases to
function altogether.
An ICMP ECHO request "lives" inside the IP packet, consisting of eight octets of
ICMP header information (RFC-792) followed by the number of data octets in the
"ping" request.
Hence the maximum allowable size of the data area is 65535 - 20 - 8 = 65507 oct
ets.
Computers running Windows NT or Windows 95 may stop responding (hang) when they
receive corrupt Internet Control Message Protocol (ICMP) datagram fragments from
a client.
teardrop.c
bonk.c
boink.c
newtear.c
targa.c
targa12.c
targa2.c
targa3.c
Aggressor Exploit Generator 0.85 for Windows
The modified teardrop attack works by sending pairs of deliberately
constructed IP fragments which are reassembled into an invalid UDP
datagram. Overlapping offsets cause the second packet to overwrite data in
the middle of the UDP header contained in the first packet in such a way
that the datagrams are left incomplete.
As Windows NT receives these invalid datagrams, it allocates kernel memory.
If enough of these invalid datagrams are received Windows NT may hang with
a STOP 0x0000000A or 0x00000019.
nestea.c
Exploits the "off by one ip header" bug in the linux ip frag code.
Crashes linux 2.0.* and 2.1.* and some windows boxes.
This vulnerability is fixed in 2.0.35 and great kernels available at kernel.org
sesquipedalian.c
Affects Linux kernels between 2.1.89 and 2.2.3. This sends a series of IP
fragments such that a 0 length fragment is first in the fragment list. This
causes a reference count on the cached routing information for that packet's
originator to be incremente
d one extra time. This makes it impossible for the kernel to deallocate the
destination entry and remove it from the cache.
snork.c
It is possible for a malicious attacker to send spoofed RPC datagrams to UDP
destination port 135 so that it appears as if one RPC server sent bad data to
another RPC server. The second server returns a REJECT packet and the first
server (the spoofed ser
v
er) replies with another REJECT packet creating a loop that is not broken until
a packet is dropped, which could take a few minutes. If this spoofed UDP packet
is sent to multiple computers, a loop could possibly be created, consuming
processor resources
and network bandwidth.
NT 4.0 Service Pack 4
land.c:
It seems that a few Operating Systems can't handle a type of IP packet from the
same host and port. A packet spoofed to the victim's hostname and port can cause
them to crash.
killwin.c (Modified Winnuke):
A sender specifies "Out of Band" data to your NETBIOS port (139) by setting the
URGENT bit flag in the
TCP header. The receiver uses the URGENT POINTER to determine where in the
segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER
points to the end of the frame and no normal data follows. Windows NT
expects normal data to follow.
NT 4.0 Service Pack 4
IP DoS Attack Patch for 95 Winsock 1.1
IP DoS Attack Patch for 95 Winsock 2
vtcpupd.exe (Also Needed for 95)
Linux patch
Pentium Bug
When an Intel processor receives a specific invalid instruction, your
computer may stop responding (hang). Your computer must be turned off and
restarted to return to normal operation.
NT 4.0 Service Pack 4
Chargen Denial of Service Attack
A malicious attack may be mounted against Windows NT computers with the
Simple TCP/IP Services installed. The attack consists of a flood of UDP
datagrams sent to the subnet broadcast address with the destination port
set to 19 (chargen) and a spoofed source IP address. The Windows NT computers
running
Simple TCP/IP services respond to each broadcast, creating a flood of UDP
datagrams.
Symptoms:
As your computer is being attacked there may be a jump in bandwidth
utilization on a subnet containing Windows NT computers and performance may
suffer. A network analyzer shows a large amount of UDP traffic, typically
from port 19 (chargen).
NT 4.0 Service Pack 4
synk4.c SYN Flooder
A TCP connection request (SYN) is sent to the target computer. The source IP
address in the packet is "spoofed," or replaced with an address that is not in
use on the Internet, or that belongs to another computer. An attacker will send
many of these TCP
S
YNs to tie up as many resources as possible on the target computer.
Upon receiving the connection request, the target computer allocates resources
to handle and track the new connection, then responds with a "SYN-ACK". In this
case, the response is sent to the "spoofed" non- existent IP address.
No response is received to the SYN-ACK. A default-configured Windows NT 3.5x or
4.0 computer will
retransmit the SYN-ACK 5 times, doubling the time-out value after each
retransmission. The initial time-out value is three seconds, so retries are
attempted at 3, 6, 12, 24, and 48 seconds. After the last retransmission, 96
seconds
are allowed to pass before the computer gives up on receiving a response, and
deallocates the resources that were
set aside earlier for the connection. The total elapsed time that resources are
in use is 189 seconds.
How to Verify Your Computer is Under a SYN Attack
If you suspect that your computer is the target of a SYN attack, you can type
the following command at a command prompt to view connections in the
"SYN_RECEIVED" state:
netstat -n -p tcp
This command may cause the following text to appear on your screen:
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:1030 127.0.0.1:1032 ESTABLISHED
TCP 127.0.0.1:1032 127.0.0.1:1030 ESTABLISHED
TCP 10.57.8.190:21 10.57.14.154:1256 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1257 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1258 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1259 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1260 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1261 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1262 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1263 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1264 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1265 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1266 SYN_RECEIVED
TCP 10.57.8.190:4801 10.57.14.221:139 TIME_WAIT
If a large number of connections are in the SYN_RECEIVED state, it is possible
that the system is under attack. A network analyzer can be used to track the
problem down further, and it may be necessary to contact your Internet Service
Provider for assist
a
nce in attempting to trace the source.
The effect of tying up connection resources varies, depending upon the TCP/IP
stack and applications listening on the TCP port.
For most stacks, there is a limit on the number of connections that can be in
the half-open (SYN_RECEIVED) state.
Once the limit is reached for a given TCP port, the target computer responds
with a reset to all further connection
requests until resources are freed.
smurf.c
fraggle.c Smurf UDP variant
papasmurf.c
papasmurf-linux.c Smurf/Fraggle combination
Spoofs ICMP packets from a host to various broadcast addresses resulting in
multiple replies
to that host from a single packet. Use broadscan.c to find
the necessary broadcast addresses.
Minimizing the Effects of "Smurfing" Denial of Service (DoS) Attacks
smurflog-1.1.tar.gz
octopus.c
Opens as many sockets with a remote host as can be supported by both machines.
eyedentdee.c attack against inetd services.
Patch:xinetd 2.1.8.4p4
pingflood.c
When ping runs it normally sends an ICMP ECHO_REQUEST every second.
It accomplishes this using the alarm system call and waiting for a SIGALRM
signal from the kernel. Pingflood simply sends a lot of SIGALRM signals to the
ping process.
It can do this because the ping process is owned by the user.
secureping-1.0.tar.gz
- Admin-definable packet size limits for root and non-root users.
- Log attempted unauthorized flood/preload and over-size-limit attempts.
- Log and prevents SIGALRM-bomb floods.
- REAL simple + easy Libc/Glibc support
C уважением, NiK.
np: ENIGMA - ENIGMA - 2
... [Team THE DOORS] [FidoNET USE \\GolDEd+/386 1.1.4 ] [Team Beginner]
--- GoldED+/386 1.1.4.3
* Origin: -----====>}[TEAM Kn0pKa]{<====----- My Address - (2:5020/968.79)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
DoS |
Abrasha Shapirus |
25 Apr 2000 19:51:28 |
 DoS |
NiK |
28 Apr 2000 13:21:14 |
|
DoS |
NiK |
28 Apr 2000 13:56:36 |
 DoS |
NiK |
28 Apr 2000 14:01:19 |
|
|
