Obviously you need to be in the local ethernet segment to accomplish an attack like that. I wrote a similar tool a couple of years ago, called havoc. It can be downloaded from http://packetstormsecurity.org/DoS/havoc-0.1c.tgz and can be easily modified to suit your particular needs. Cheers, :raptor On Mon, 30 Jul 2001, Paul Starzetz wrote: > There is an ARP table handling bug in Microsoft Windows protocoll > stacks. It seems that the arp handling code uses some inefficient data > structure (maybe a simple linear table?) to manage the ARP entries. > Sending a huge amount of ´random´ (that is random source IP and > arbitrary MAC) ARP packets results in 100% CPU utilization and a machine > lock up. The machine wakes up after the packets stream has been stopped. > > The needed traffic is not really high: the attached ARPkill code will > send an initial sequence of about 10000 ARP packets, then go to ´burst > mode´ sending definable short burst of random ARP packets every 10 msec. > The lockup occured at about 80kb/sec (seq about 45) on a PII/350. > > Even worse: it seems that is possible to kill a whole subnet using > broadcast destination MAC (that is ff:ff:ff:ff:ff:ff) and arbitrary > source IP. Antifork Research, Inc. @ Mediaservice.net Srl http://www.0xdeadbeef.eu.org http://www.mediaservice.net
This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 12:19:23 PDT