Hi Guys, I noted that win2k/XP and some winME arrived with a little more of secure in DOS. :))) I belived that it was something like in linux, that check the source of packages. If source exist it process the package... else is dropped, am i correct ? :) Then i try a simple opentear in a windows 98... and the attack was: 05:36:44.098207 20.0.0.0.20 > 192.168.151.13.12: udp 0 (frag 1:8@0+) 05:36:44.098302 20.0.0.0.20 > 192.168.151.13.12: udp 0 (frag 2:8@0+) 05:36:44.098384 20.0.0.0.20 > 192.168.151.13.12: udp 0 (frag 3:8@0+) 05:36:44.100777 20.0.0.0.20 > 192.168.151.13.12: udp 0 (frag 4:8@0+) 05:36:44.100889 20.0.0.0.20 > 192.168.151.13.12: udp 0 (frag 5:8@0+) 05:36:44.100965 20.0.0.0.20 > 192.168.151.13.12: udp 0 (frag 6:8@0+) 05:36:44.101045 20.0.0.0.20 > 192.168.151.13.12: udp 0 (frag 7:8@0+) 05:36:44.101125 20.0.0.0.20 > 192.168.151.13.12: udp 0 (frag 8:8@0+) 05:36:44.101201 20.0.0.0.20 > 192.168.151.13.12: udp 0 (frag 9:8@0+) 05:36:44.101281 20.0.0.0.20 > 192.168.151.13.12: udp 0 (frag 10:8@0+) 05:36:44.101358 30.0.0.0.30 > 192.168.151.13.daytime: udp 0 (frag 11:8@0+) 05:36:44.101519 30.0.0.0.30 > 192.168.151.13.daytime: udp 0 (frag 12:8@0+) 05:36:44.101596 30.0.0.0.30 > 192.168.151.13.daytime: udp 0 (frag 13:8@0+) 05:36:44.101715 30.0.0.0.30 > 192.168.151.13.daytime: udp 0 (frag 14:8@0+) And i can't get packages from 192.168.151.13 ... it crashes... very fast! :) Then i tryed in a winXP ... and received this traffic: 05:31:46.811094 192.168.151.183 > 110.0.0.0: icmp: ip reassembly time exceeded 05:31:46.811932 192.168.151.183 > 110.0.0.0: icmp: ip reassembly time exceeded 05:31:46.812238 192.168.151.183 > 110.0.0.0: icmp: ip reassembly time exceeded 05:31:46.812518 192.168.151.183 > 110.0.0.0: icmp: ip reassembly time exceeded 05:31:46.812665 192.168.151.183 > 110.0.0.0: icmp: ip reassembly time exceeded 05:31:46.812809 192.168.151.183 > 20.0.0.0: icmp: ip reassembly time exceeded 05:31:46.812956 192.168.151.183 > 20.0.0.0: icmp: ip reassembly time exceeded 05:31:46.813100 192.168.151.183 > 20.0.0.0: icmp: ip reassembly time exceeded Why it's happend ?? Because they try to resolve the address 110.0.0.0 or 200.0.0.0 and the time to resolve exceeded ?? Why i can't see the resolution request from 192.168.151.183 ?? I was thinking... if i write a code that before of send the attack send packages with the resolution (MAC of ip/arp resolution) and then the attack... it will work in win2k/xp ? :)) If i'm not wrong the arp table ... can change in distinct OS in a time between 30 sec / 2min. If i re-send this resolution in 29sec is the sufficient to affect all OS in a lan... including Linux, not ? :) If someone know some code, or project that do someting like.. please send me. Or if someone know other project that make the something, but based in other idea... please send me a URL. :) Thkz a lot. Best Regards. [ ]'s
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 08:43:45 PDT