"Insane DoS Attacking with RSTs" [Contact.nfo] #URL: http://www.h410G3n.com #e-mail: h410G3n@h410G3n.com #IRC: irc.h410G3n.com / #HackCanada + irc.2600.net / #2600 #shoutz: Cyb0rg/ASM, theclone, wizbone, wraith, wildman -- Disclaimer: I do not assume ANY fucking responsibility for what you do. For Example: if you just so happen to lean back in your chair after using these techniques, knock your momma's DSS receiver out of your window and land it in a swimming pool full of 'leet wannabe hackLERS killing them and rupturing a fault line, sending half of California into the ocean. IT'S NOT MY FUCKING FAULT! -- Well, this article is the result of an insane dream I had a few months back (I dream in code and TCP/IP sequence numbers). I was thinking of a way to use all of these machines that are on the Internet to my advantage. I was thinking about the TCP/IP protocol itself and an idea hit me. It's a simple one I have been kicking around for while. Remember those DoS attacks on yahoo/ebay a while back? Well those are called DDoS attacks (Distributed Denial of Service), where a Trojan or a client is placed on hundreds /thousands of machines and they are used together to flood down a target. (Referred to as "helper-boxes" in this article) Well my idea wouldn't need a program installed on all of my helper-boxes.... They could be used "as is" on a packet-level as a multi-node relay. Millions of windows boxes at someone's disposal -- It is a scary thought. I am not interested in being a DoS kiddie(tm) nor will I ever be, but I am interested in the technology and the prevention of an attack like this. Okay, to the "meat" of this article now: A normal TCP connection works something like this (a few things have been omitted for clarity). 10.0.0.1:1024 -> 10.0.0.2:80 SYN (chomp) EST 10.0.0.1:1024 <-> 10.0.0.2:80 "Connection Established" The above was a connection to a port with a service running (in this case we connected to port 80 on .2 from with 1024 as the src port). Now, here is an attempt to connect to a port on a box with no service running on it. 10.0.0.1:1024 -> 10.0.0.2:80 SYN 10.0.0.2:80 -> 10.0.0.1:1024 RST "Connection Refused" ... :) "So what?" you might ask.... A RST is the end of a TCP sequence... and we did not do a full 3-Way handshake with the remote box, so spoofing *is* possible. The key here is to SYN flood with random src ports with the target IP address. Then the RST packets will go to the target machine. Here is another example: I am 10.0.0.1 in this diagram, the helper box is 10.0.0.2 and the target is 10.0.0.100: Sending (from me, 10.0.0.1): (Spoofed as 10.0.0.100:(x))-> 10.0.0.2:(y) SYN ... you may want to rotate x (port) for a greater effect. ... y being a closed port on the helper box. Result: 10.0.0.2(y) -> 10.0.0.100(x) RST Now the target didn't send the SYN, so the RST is just garbage data to it. IE. The RST just gets eaten... yay! Now, send SYNs to your hearts content using different helper boxes and rotate ports on x. (You will need a static y port on your helper boxes that emit a RST). Most detection software only looks for large amounts of icmp + packet fragments, so this method will most likely go undetected for a while. Have fun! -- h410g3n 2001.05.21