Dos/smurf/icmp/tcpdump/snmp-mib2

From: Qiming He (heq@mdlogix.com)
Date: 02/01/02


From: "Qiming He" <heq@mdlogix.com>
Date: Fri, 1 Feb 2002 16:13:50 -0500

Hi guys:

I am trying to see how a smurf-like ICMP broadcast flooder works (from
site)
http://www.cotse.com/dos.htm

Both the attack and victim are Redhat Linux 7.1 boxes (kernel 2.4)
in the same subnet (192.168.1.0)

I create a broadcast file
% echo "192.168.1.255" > bcast
and run smurf in 192.168.250 to attack 192.168.1.100
%./smurf 192.168.1.100 bcast 0 1 100

(FYI: smurf.c v4.0 by TFreak
 usage: ./smurf <target> <bcast file> <num packets> <packet delay> <packet
size>
target = address to hit
bcast file = file to read broadcast addresses from
num packets = number of packets to send (0 = flood)
packet delay = wait between each packet (in ms)
packet size = size of packet (< 1024)
)

I run tcpdump at 192.168.1.100 (victim)
%tcpdump icmp
and get sth. like %tcpdump icmp
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket
tcpdump: listening on all devices
14:26:10.668147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.688147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.708147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.728147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request
14:26:10.748147 eth1 < 192.168.1.100 > 192.168.1.255: icmp: echo request

Question: Why is there no echo reply. I also checked SNMP MIB entry
.iso.org.dod.internet.mgmt.mib-2.icmp.icmpInMsgs
It is not incremented.

FYI: I checked
/proc/sys/net/ipv4/icmp_echo_ignore_all
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

ALL 0 that means I am NOT ignoring any boradcast packets
I verify it by checking
%ping -f 192.168.1.100
I do get a lot of echo replies like:
15:54:33.098147 eth1 < 192.168.1.100 > 192.168.1.82: icmp: echo request
15:54:33.118147 lo > 192.168.1.100 > 192.168.1.100: icmp: echo request
(DF)
15:54:33.118147 lo < 192.168.1.100 > 192.168.1.100: icmp: echo request
(DF)
15:54:33.118147 lo > 192.168.1.100 > 192.168.1.100: icmp: echo reply (DF)
15:54:33.118147 lo < 192.168.1.100 > 192.168.1.100: icmp: echo reply (DF)
15:54:33.118147 lo > 192.168.1.100 > 192.168.1.100: icmp: echo request
(DF)

and SNMP-ICMP entry also incremented.

Question: whatelse do I need to do to make smurf really "works"?

many thanks



Relevant Pages

  • Re: ipchains log
    ... >explain that the packet was DENYed on interface ppp0. ... >in the TCP header; mostly you can ignore them, ... Source IP of 216.190.255.225 is broadcast address but protocol is not ... Rejected boxes respond ICMP to 62.212.97.194. ...
    (comp.os.linux.security)
  • Re: Confused about ping...
    ... Ping works by sending an ICMP "Echo" data packet to the ...
    (Fedora)
  • icmp reply problem
    ... I wrote simple program that captures ICMP packet on raw socket, ... Capture packet, check if this is echo request. ... Compute checksum for IP and ICMP. ...
    (comp.unix.programmer)
  • Re: OSFP router-id not appearing in traceroute (on 7204VXR)
    ... packet will have the source IP address on which the packet was ... With ICMP the echo reply packet will have the source IP address ... With UDP the "port unreachable" report will tend to have the source IP ... With ICMP you get a reply. ...
    (comp.dcom.sys.cisco)
  • Re: unexpected ICMP host unreachable - no worries?
    ... an attack?". ... You observed ICMP backscatter traffic. ... I'm guessing this packet is remote controlling command to distributed ... easily relate that outgoing scan or outbound flood packets after detect ...
    (comp.os.linux.security)