Dos/smurf/icmp/tcpdump/snmp-mib2

From: Qiming He (heq@mdlogix.com)
Date: 02/01/02


From: "Qiming He" <heq@mdlogix.com>
Date: Fri, 1 Feb 2002 16:13:50 -0500

Hi guys:

I am trying to see how a smurf-like ICMP broadcast flooder works (from
site)
http://www.cotse.com/dos.htm

Both the attack and victim are Redhat Linux 7.1 boxes (kernel 2.4)
in the same subnet (192.168.1.0)

I create a broadcast file
% echo "192.168.1.255" > bcast
and run smurf in 192.168.250 to attack 192.168.1.100
%./smurf 192.168.1.100 bcast 0 1 100

(FYI: smurf.c v4.0 by TFreak
 usage: ./smurf <target> <bcast file> <num packets> <packet delay> <packet
size>
target = address to hit
bcast file = file to read broadcast addresses from
num packets = number of packets to send (0 = flood)
packet delay = wait between each packet (in ms)
packet size = size of packet (< 1024)
)

I run tcpdump at 192.168.1.100 (victim)
%tcpdump icmp
and get sth. like %tcpdump icmp
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket
tcpdump: listening on all devices
14:26:10.668147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.688147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.708147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.728147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.748147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request

Question: Why is there no echo reply. I also checked SNMP MIB entry
.iso.org.dod.internet.mgmt.mib-2.icmp.icmpInMsgs
It is not incremented.

FYI: I checked
/proc/sys/net/ipv4/icmp_echo_ignore_all
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

ALL 0 that means I am NOT ignoring any boradcast packets
I verify it by checking
%ping -f 192.168.1.100
I do get a lot of echo replies like:
15:54:33.098147 eth1 < 192.168.1.100 > 192.168.1.82: icmp: echo request
15:54:33.118147 lo > 192.168.1.100 > 192.168.1.100: icmp: echo request
(DF)
15:54:33.118147 lo < 192.168.1.100 > 192.168.1.100: icmp: echo request
(DF)
15:54:33.118147 lo > 192.168.1.100 > 192.168.1.100: icmp: echo reply (DF)
15:54:33.118147 lo < 192.168.1.100 > 192.168.1.100: icmp: echo reply (DF)
15:54:33.118147 lo > 192.168.1.100 > 192.168.1.100: icmp: echo request
(DF)

and SNMP-ICMP entry also incremented.

Question: whatelse do I need to do to make smurf really "works"?

many thanks