libnet use the example (9) Author: Primary Four (scz@nsfocus.com) Home Page: http: //www.nsfocus.com Date: 2000-08-15 IGMP attack this time to continue to introduce, for example libnet library programming. IGMP patch I have not used it. For PWIN98, IGMP is really no use. I can consider this method of Yuan Ge: Search with UltraEdit Search 6A 02 E8, modify to 6a F2 E8. Here 02 corresponds to the IGMP protocol, so after processing, F2 corresponds to IGMP, so, the general attack on standard IGMP protocol is all invalid, of course, you can't use the IGMP protocol. You can do not with F2, for other values. It may be necessary to review a little IP protocol, the basics of IP fragmentation: 1) TOS should only specify one of the bits, and the specified several is meaningless. As for if it is allowed or how the recipient depends on the specific implementation, it is possible to make an error. 2) IP fragmentation and complete IP packets have almost the same IP header, and the ID domain is consistent for each slice, so that the fragmentation from the same IP packet can be identified when the restructuring. Flags takes the highest 3bit, press from left to right, from high to low, the leftmost bit is reserved, should be zero, if no zero is there, it is unclear; the intermediate BIT set 1 indicates that the IP packet cannot be separated. If the route must be separated by the MTU, it is necessary to discard the IP packet first, then use ICMP to notify the source of the host, if it is not special, it should not be set; the rightmost bit Set 1 means that the message is not the last IP fragment. 3) The FLAGS for the full single package IP message is zero, and the FRAGMENT OFFSET is zero. The first IP fragment of FLAGS is the rightmost bit, and the FRAGMENT OFFSET is zero. The last right of the last IP fragment is 0, and the Fragment Offset will not be zero. Fragment Offset is shared with Flags sharing two bytes, and the former takes up 13bit. The offset given by Fragment Offset is in a relatively complete IP packet data area, in 8bytes. 4) Reorganization occurs on the final destination host, and the intermediate routing is not a fragmentation. The recombination occurred after all fractions arrive. Generally, the final destination host starts a timer when receiving an IP fragment (not necessarily the first fragment), if the slide is still not arriving, then all arrival fractions with the same IDs are discarded. It means that a full IP message is lost, and the IP layer itself will not be responsible for retransmission, and you need the last protocol to realize that you need retransmission. Imagine, deliberately sending part of IP fragmentation instead of all, resulting in the target host to always wait for fragmentation consumption system resources. Some fragment storm attacks are this principle. 5) The total length of this IP fragment is given by IP fragmentation, not the total length of the full IP packet. 6) It is easy to cause IP fragmentation using UDP, and it is difficult to force TCP to send a message that requires fragmentation. Early operating system realization is not perfect for the boundary of IP slice, there is always such problems, after recent research, analysis, confrontation, analysis of various DOS attacks, is not easy to find on the border processing Vulnerability. Why review the IP fragmentation, the IGMP attack described below involves IP fragmentation, not reviewing, I am afraid that some friends have dizzy.
Another less relevant problem, Raw_Socket can send IP fragment, but will never receive IP fragmentation, the kernel does not give Raw_Socket an IP fragmentation before the restructuring is completed, remember this is important. Some friends may see the source code for sending IP fragmentation using Raw_Socket, and is incorrectly IP slice is visible for transmitting and receiving raw_socket. Do not intend to repeat the entire RFC of IGMP, review several points of the IGMP protocol: 1) The IGMP version is currently 1, and the type is only two, 1 indicates the query emitted by the multicast router, 2 indicates the response of the host in the group. The checksum is for the 8-byte IGMP packet. Unwanted domains must be cleared. 2) Two effective IGMP packet example IGMP Response (2) TTL = 1 Group Added Group Addate IP = Group Address Source IP = Native IP IGMP Query (1) TTL = 1 Group Address = 0 Destination IP = 224.0. 0.1 Source IP = Multicast Router IP3) When a process on the host is added to a group on an interface of this unit, an IGMP response is sent if there is no local process in front of this unit. This opportunity maintains related information until all native processes exit the group. The process does not send IGMP responses when the process leaves a group. When all the processes of this unit exits all groups, if there is a multicast router sends a query packet, the unit does not make an IGMP response. The multicast router is timed to send a query. The group address of this query message is fixed to 0, the target IP is 224.0.0.1.4) 224.0.0 - 239.255.255.255 The D-class address is a multicast address. But 224.0.0.0 cannot be used in any group. 224.0.0.1 Indicates all multicast capabilities in the LAN, router, if you have multicast capabilities after each network interface, will automatically join the group, even if there is no native process to explicitly join the group, it will not be added Group to send IGMP response. The multicast address can appear as the target IP, but it is not possible to appear as a source IP. The multicast address between 224.0.0.0 - 224.0.0.255 If the TTL occurs on the target IP, the multicast router does not forward this packet, and this message can only appear in the LAN. Obviously, it includes 224.0.0.1.5) TTLs 200. The multicast will not be able to run at all, and 1 means that the multicast report can only be transmitted in the LAN. If you want to be forwarded by the multicast router, you must set a larger TTL. The above description is the description of W.Richard.Stevens to 4.x BSD, and now there may be change. Version and types share one byte, version takes up 4BIT, so many macros such as 0x11, 0x12 in many headers, as for 0x16, 0x17, annotated interpretation is clear. After the member host receives the IGMP query, it will respond within the random time period because the multicast leads to other member hosts in the group, not only the host, which is not only issued, so the remaining member hosts no longer respond Avoid responding storms. Non-group members can send query packets, but it will not receive the corresponding IGMP response. Not only the multicast router can send IGMP queries, other IGMP query packets are different, such as the purpose IP is not necessarily 224.0.0.1, can be a certain other multicast address, the group address is not necessarily 0, can Is a certain set address.
There is a function prototype in the libnet library: int Libnet_build_igmp (u_char type, u_char code, u_long ip, const u_char * payload, int payad_s, u_char * buf); this function is used to construct IGMP packets, Type is in / usr / include there /libnet/libnet-headers.h macros are defined as follows: #define IGMP_MEMBERSHIP_QUERY 0x11 / * membership query * / # define IGMP_V1_MEMBERSHIP_REPORT 0x12 / * Ver 1 membership report * / # define IGMP_V2_MEMBERSHIP_REPORT 0x16 / * Ver 2 membership report * /.. #define igmp_leave_group 0x17 / * Leave-group message * / 0x17 It seems that you need to send IGMP packets later, you don't know. 0x16 is more confused, since it is version 2, it should be 0x26, do not understand. Anyway, we don't need them, too lazy. The meticulin Code should specify unwanted domain, then it can only be zero. Conversion IP Specifies the D-class multicast address, payload is null, payload_s is zero. The meticulin BUF needs to point to an allocated data area, and the IGMP head starts from the pointer. Check and calculate the libnet_do_checksum (packet, ipproto_igmp, libnet_igmp_h) function, of course, if it is not normal IGMP packet, the parameter value needs to be adjusted. Unfortunately, this attack program does not really use the above functions, just the IP header, the sub-protocol domain indicating that the load is IGMP packet. This IGMP attack program will be described below has many places: 1) IP header protocol indicates that IGMP packets appear in the IP data area, but the target address of the IP header is not a multicast address, but the unicast address (also attacked The target address), so such a message can not be called the IGMP message worth scrutinizing, whether it is dealt with IGMP packets. 2) The IGMP packet has a total of 8 bytes, without other loads. But this attack program has other loads, and the load is very large, and IP fragment is deliberately created. The attack program uses reverse sequence when sending IP fragment, first sends the last slice, and finally transmits the first fragment. Here, the Raw_Socket artificial manufacturing exception fragment is not allowed to make the IP protocol stack self-sliced, in fact, the sender has never had a large complete IP packet before the fragmentation. 3) IGMP packet version, type, verification, and group address are all zero, obviously abnormal. 4) If the original program loop is sent twice in a complete batch of IP fragments. In the test process, it is still dependent on the transmission speed and the number of transmission, and the default is used twice. It is not a success every time, it is not very good to repeat the attack effect. Adjust the number of cycles into 200 in the program, an attack will be successful, obviously and attack speed, and the number of packets. The source IP does not require an equal to the target IP, which can be arbitrary forged source IP. The target IP address is not a multicast address. For routers that only see the IP layer, it is ordinary unicast IP packet, and will not realize that the routing IGMP packet (if this packet can be called IGMP) The words of packets). I used to have a friend that I can't conduct IGMP attacks on WAN, but some friends say that remote attack works.
According to my analysis, the remote attack sometimes failed, not because the regular routes do not forward the communication, the previous explanation, the routing is the unicast IP packet, but because the fragment is lost. This attack program creates 11 shards each time, and the remote attack cannot guarantee that 11 shards can reach the target IP on time. In this way, it is still a huge anomalous IGMP message after the reorganization. There is always a friend asking such a DOS attack principle, and there is always a friend to answer what kind of message is sent. It feels that the answer is the appearance. I really explain why the blue screen, why it's a dead machine, you need to use Softice to track the target owner Texture process. A valid DOS packet does not explain the problem, through the protocol analysis software, it is just aware of the packet through the source code analysis, which will lead to DOS. Why do such a message will cause DOS? The network data itself can give an answer. The front of the JOT2.C, I can only know that type of message may cause DOS, but why cause, unclear, do not analyze the implementation of the specific operating system on these protocols, only look at network data, what can you get? Answer, itching the boots. I don't like other people to discuss this problem in this way, and there is a suspicion of praise. There is no need to understand the real reasons for such DOS unless you have the ability to modify the system, like Linux can repair the source code. This attack first leads to the target blue screen. After entering the bus, the IP stack is basically abolished, from the remote unable to ping the goal, need to restore recovery. But there is no crash, you can also do other non-network work. If there is Softice, the situation is not big, I am not familiar with this, not much to describe. 5) The ID domain of the IP head has not changed, and the slice in the latter circulation is different from the slice in the previous round of cycles. I can't distinguish, what kind of restructuring of the receiving square slice influences? Personally, this attack is fully processed remotely, and no source IP is equal to the target IP, the opportunity is very large. The command line specifies the forged source IP, attack target IP, IGMP packet (in a batch of fragments).