Protocol T50: Five months later... So what?

Protocol T50
“Five months later... So what?”

Agenda

• 0000 – Once upon a time… • 0100 – Comparison

• 0001 – Introduction • 0101 – Demonstration

• 0010 – Improvements • 0110 – Conclusions

• 0011 – Protocols • 0111 – Questions and Answers

Why Denial-of-Service?
• Is there anything more offensive than a • But, what are the real damages? What
DoS, anyways? are the real motivations? Image?
– Bear in mind: DoS means “Stress Revenge? Financial? Political?
Testing” for this presentation. Hacktivism?

• DoS tools are necessary weapons in a • DoS attacks are significantly harmful,
cyber warfare… because they violate one of the three key
concepts of security that are common to
risk management… Which one?
• Attacks against the infrastructure are
more common than many people might – Confidentiality
think, and, when they happen, people – Integrity
will certainly be aware of. – Availability

T50 shows that some sort of performance enhancements, using an
ordinary Linux box and programming in user space, can be done.

T50 – The chaos maker
• Primarily, the tool was developed to • This new version is focused on internal
address my day-by-day needs, and I am infrastructure, allowing people to test the
sharing with the community, because I availability of its resources.
always need a tool to perform some “Stress
Testing” and that could be launched from • Interior Gateway Protocols (Distance Vector
my notebook: Algorithm):
– I do not want to carry/rent/buy a Smartbits,
Avalanche, etc. – Routing Information Protocol (RIP).
– Enhanced Interior Gateway Routing Protocol
(EIGRP).
• The tool was designed to perform “Stress
Testing” on a variety of infrastructure
network devices (Version 2.45). • Interior Gateway Protocols (Link State
Algorithm):
– Open Shortest Path First (OSPF).
• The tool was re-designed to extend the
“Stress Testing” (Version 5.3), covering
some regular protocols (ICMP, IGMP, TCP • Quality-of-Service Protocols:
and UDP), some infrastructure specific – Resource ReSerVation Protocol (RSVP).
protocols (GRE, IPSec and RSVP) and
some routing protocols (RIP, EIGRP and • Tunneling/Encapsulation Protocols:
OSPF). – Generic Routing Encapsulation (GRE).

T50 – The chaos maker

I did not review any third-party codes…
I found my own way to address some challenges!!!
#define EIGRP_DADDR_LENGTH(foo)
(((foo >> 3) & 3) + (foo % 8 ? 1 : 0))

if(o.eigrp.type == EIGRP_TYPE_SOFTWARE ||
o.eigrp.type == EIGRP_TYPE_MULTICAST) goto eigrp_software;

#define EIGRP_DADDR_BUILD(foo, bar)
(foo &= htonl(~(0xffffffff >> ((bar >> 3) * 8))))

#define TCPOLEN_PADDING(foo)
((foo & 3) ? 4 - (foo & 3) : 0)

0010 – Improvements
Also known as “New Features”

License
• Licensed under GNU General Public License version 2:
– Any piece of code cannot be integrated into proprietary
applications and appliances.
– There is an alternative license to do so.

• Free software and 100% Open Source:
– You may redistribute and/or modify it under the terms of GPL
version 2.
– Will always be available as an Open Source project to the
community.

• Recruiting new coders, hackers and developers to keep the
project and add new substantial improvements.

Classless Inter-Domain Routing (CIDR)

• CIDR specifies an IP address range using a combination of
an IP address and its associated network mask:
– 192.168.1.13/24 – 192.168.1.13/255.255.255.0
– 172.16.0.128/15 – 172.16.0.128/255.254.0.0
– 10.200.200.1/10 – 10.200.200.1/255.192.0.0

• CIDR for destination address is supported:
– Allows to simulate both Distributed Denial-of-Service and
Distributed Reflection Denial-of-Service in a controlled
environment.
– CIDR network mask supported:
• Minimum is “/8” (255.0.0.0).
• Maximum is“/30” (255.255.255.252).

unsigned int hostid = 0, counter = 0, rand_addr = 0;
in_addr_t netmask = INADDR_ANY, all_bits_on = 0xffffffff,
__1st_addr = INADDR_ANY, addresses[16777214] = INADDR_ANY;
struct iphdr *ip;

netmask = ~(all_bits_on >> bits);
hostid = (unsigned int) (pow(2, (32 - bits)) - 2);
__1st_addr = (ntohl(address) & netmask) + 1;

[...]

for(counter = 0 ; counter < hostid ; counter++)
addresses[counter] = htonl(__1st_addr++);

[...]

rand_daddr = (unsigned int) ((float)(hostid) * rand() / (RAND_MAX + 1.0));
ip->daddr = addresses[rand_daddr];

[...]


192.168.1.13 /24 192.168.1.13 /255.255.255.0

0xffffffff 11111111.11111111.11111111.11111111

0x000000ff 00000000.00000000.00000000.11111111

0xffffff00 11111111.11111111.11111111.00000000

0xc0a8010d 11000000.10101000.00000001.00001101
&
0xffffff00 11111111.11111111.11111111.00000000

0xc0a80100 11000000.10101000.00000001.00000000

NETWORK HOST

(2(32-24))-2 = (28)-2 = 256-2 = 254

Multi-protocol sequential injection
• Version 2.45 (as of November 2010):
– Support for four protocols: ICMP, IGMPv1, TCP and UDP.
– Sends all of them sequentially, i.e., almost on the same time.

• Version 5.3 (as of today):
– Support for the previous four protocols: ICMP, IGMPv11, TCP1 and
UDP.
– Eleven (11) new protocols: IGMPv31, EGP2, RIPv1, RIPv2, DCCP1,
RSVP1, GRE3, IPSec (AH/ESP), EIGRP1 and OSPF1.
– Sends all of them sequentially, i.e., almost on the same time.

1 This protocol can be improved to cover additional advanced options.
2 This protocol demands more development efforts to cover advanced options.
3 Very first tool able to encapsulate the protocols within GRE packets.

socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds;

[...]

if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
exit(EXIT_FAILURE);

if(setsockopt(fd, IPPROTO_IP, IP_HDRINCL, nptr, sizeof(n)) < 0)
exit(EXIT_FAILURE);

[...]

struct t50{ int proto; void(*raw)(int, struct options); };

[...]

while(flood || threshold--){

[...]

if(protocol != IPPROTO_T50){

[...]

}else{
for(module = 0 ; module < modules ; module++){
protocol = t50[module].proto;
t50[module].raw(fd, options);
}

threshold -= (modules-1);
protocol = IPPROTO_T50;
}

[...]

Checksum optimization
• The version 5.3 introduced a new technique to calculate the
checksum, consequentially, a new technique to build the
packet.

• This technique is MEMCPY(3)-free, and allows to build the
packet byte-by-byte – sometimes bit-by-bit.

• This technique is more flexible, specially when playing with
exotic protocol options – sometimes uses GOTO. For example:
– EIGRP IP Internal Routes TLV destination address.
– EIGRP IP External Routes TLV destination address.
– OSPF HELLO Message with multiple NEIGHBOR addresses.
– RSVP Object SCOPE Class with multiple SCOPE addresses.
– Etc…

unsigned int offset = 0;
unsigned char packet[packet_size], * checksum = NULL;
struct eigrp_hdr * eigrp;

[...]

offset = sizeof(struct eigrp_hdr);
checksum = (unsigned char *)eigrp + offset;

*((unsigned short *)checksum) = htons(length);
checksum += sizeof(unsigned short);
offset += sizeof(usigned short);
*((usigned int *)checksum) = htonl(auth_key_id));
checksum += sizeof(unsigned int);
offset += sizeof(usigned int);

[...]

eigrp->check = cksum((u_int16_t *)eigrp, offset);

[...]

packet_size = sizeof(ip) + sizeof(eigrp) + eigrp_hdr_len();

1st step
packet

↓

packet
1st step
↓

packet
2nd step
↓

1st step
packet

eigrp_hdr_len()
↓

2nd step
packet

↓

packet
1st step
↓

packet
2nd step
↓

offset

RFC 1700, 1918 and 3330 improvements
[...]

switch(ntohl(daddr) & 0xff000000){
case 0x0a000000: /* Allowing 10/8 (RFC 1918). */
break;
case 0x7f000000: /* Allowing 127/8 (RFC 1700). */
break;
case 0xa9000000: /* Allowing 169.254/16 (RFC 3330). */
if(((ntohl(daddr) & 0xffff0000) != 0xa9fe00000))
return(FALSE);
break;
case 0xac000000: /* Allowing 172.16/12 (RFC 1918). */
if(((ntohl(daddr) & 0xffff0000) < 0xac100000) ||
((ntohl(daddr) & 0xffff0000) > 0xac1f0000))
return(FALSE);
break;
case 0xc0000000: /* Allowing 192.168/16 (RFC 1918). */
if((ntohl(daddr) & 0xffff0000) != 0xc0a80000)
return(FALSE);
break;

[...]

Protocols

IGMPv3 TCP
• Specific headers for specific types: • Regular TCP options:
– Membership Query. – Source Port and Destination Port, Sequence
Number (also known as ISN), Acknowledgment
– Membership Report. Number, Data Offset, Window, Urgent Pointer
and TCP Flags (FIN, SYN, RST, PSH, ACK, URG,
ECE and CWR).
• Membership Query options:
– Max Resp code.
• Supported TCP Options:
– Group Address.
– End of List (EOL), No Operation (NOP),
– Suppress Router-processing Flag. Maximum Segment Size (MSS), Windows Scale
– Querier’s Robustness Variable (QRV). (WSopt), Timestamp (TSopt), T/TCP Connection
Count (CC, CC.NEW and CC.ECHO), Selective
– Querier’s Query Interval Code (QQIC). Acknowledgement (SACK), MD5 Signature
– Number of Sources. Option and the brand new TCP-AO
– Source Address(es). (Authentication Option – RFC 5925).

• Membership Report options: • TCP Authentication Option (as of June 2010):
– Type (HMAC-MD5).
– Group Record Type. – Key ID.
– Group Record Multicast Address. – Next Key ID.
– Number of Sources. – Authentication Data (RANDOM).
– Source Address(es).

Protocols

RIP DCCP
• Regular RIPv1 and RIPv2 options: • Specific headers for specific types:
– Command. – Request Packets
– Address Family Identifier. – Response Packet.
– Router IP Address. – Data Packets
– Router Metric. – Acknowledgment Packet, Data-Ack Packet,
Synchronize Packet, Sync-Ack Packet, Close
Packet and Close Request Packet.
• Enhanced RIPv2 options: – Reset Packet.
– Routing Domain.
– Route Tag.
– Router Network Mask.
• Regular DCCP options:
– Router Next Hop. – Source Port and Destination Port.
– Data Offset.
– HC-Sender CCID (CCVal).
• RIPv2 Cryptographic Authentication: – Checksum Coverage (CsCov).
– Type (HMAC-MD5). – Extended Sequence Numbers (x).
– Key ID. – Sequence Numbers (HIGH and LOW).
– Cryptographic Sequence Number. – Acknowledgment Numbers (HIGH and LOW).
– Authentication Data (RANDOM). – Service Code.
– Reset Code.

Exotic protocols

• Regular RSVP options:
– Flags and Time to Live.
RSVP
• Supported RSVP types: • SESSION Class options:
– Path Message. – Destination address, Protocol ID, Flags and
– Resv Message. Destination Port.
– Path Teardown Message.
– Resv Teardown Message. • RSVP_HOP Class options:
– Path Error Message. – IP Next/Previous Hop (Neighbor) Address and
– Resv Error Messages Logical Interface Handle.
– Confirmation Message.
• TIME_VALUES Class options:
• Specific RSVP Objects for specific RSVP type: – Refresh Period (Interval).
– SESSION Class.
– RSVP_HOP Class. • ERROR_SPEC Class options:
– TIME_VALUES Class. – IP Error Node Address, Flags, Error Code and
– ERROR_SPEC Class. Error Value.
– SCOPE Class.
– STYLE Class. • SCOPE Class options:
– SENDER_TEMPLATE Class. – Number of Address and IP Source Address(es).
– SENDER_TSPEC Class.
– ADSPEC Class.
– RESV_CONFIRM Class.
• Etc… Up to 37 command line interface
switches.

Exotic protocols

• Regular EIGRP options:
EIGRP – Opcode, Flags, Sequence Number,
Acknowledgment Number, Autonomous System
(AS) , Type and Length.
• Supported EIGRP opcodes:
– Update Message.
– Request Message. • General Parameter TLV options:
– Query Message. – K1, K2, K3, K4 and K5 Values and Hold Time
– Reply Message. (Interval).
– Hello Message.
– Acknowledgment Message.
• Software Version TLV options:
– IOS Release Version and EIGRP Protocol
• Specific EIGRP TLVs for specific EIGRP types: Release Version.
– General Parameter TLV.
– Software Version TLV.
– Sequence TLV. • IP Internal Routes TLV and IP External Routes
– Next Multicast Sequence TLV. TLV options:
– IP Internal Routes TLV. – IP Next Hop Address, Delay, Bandwidth,
– IP External Routes TLV. Maximum Transmission Unit (MTU), Hop Count,
Load, Reliability, IP Source Address(es) and IP
Address Prefix (CIDR).
• EIGRP Cryptographic Authentication:
– Type (HMAC-MD5).
– Key-ID. • Etc… Up to 33 command line interface
– Authentication Data (RANDOM). switches.

Exotic protocols

• OSPF Cryptographic Authentication:
OSPF –
–
Type (HMAC-MD5).
Key ID.
• Supported OSPF type: – Cryptographic Sequence Number.
– Hello Packet. – Authentication Data (RANDOM).
– Database Description Packet.
– Query Message Packet.
• Specific LLS Data Block for specific LLS TLV:
– Link State Request Packet.
– Extended Options and Flags TLV.
– Link State Update Packet.
– Cryptographic Authentication TLV.
– Link State Acknowledgment Packet.

• Regular OSPF options:
• Specific LSA Header for specific LSA type:
– Type, Router ID, Area ID and Options (Multi-
– Router LSA Header. Topology or TOS-Based, External Routing
– Network LSA Header. Capability, Multicast Capable, NSSA Supported,
– Summary IP Network LSA Header. LLS Data Block in Contained, Demand Circuits is
– Summary ASBR Header. Supported, Opaque-LSA and Down Bit).
– AS External LSA Header. (ASBR).
– No-so-Stubby Area LSA Header (NSSA). • Etc… Up to 54 command line interface
– Group Membership LSA Header (Multicast). switches.

T50: an Experimental Mixed Packet Injector

Dell Latitude E6400 Dell Latitude D620
• Intel® Core™ 2 Duo P8400 (2.26 GHz) • Intel® Core™ Duo T5600 (1.83 GHz)
• Memory 4GB RAM • Memory 2GB RAM
• Ubuntu Desktop Linux 10.04 64-bit • Microsoft Windows 7 32-bit
• Intel® 82567LM Gigabit Controller • Broadcom NetXtreme 57xx Gigabit Controller
• 1 Gbps Network • 1 Gbps Network
• Cross-over Cable (CAT-5e) • Cross-over Cable (CAT-5e)

Video
http://fnstenv.blogspot.com/
Code

Conclusions
• Can be applied to any DoS: • Can be considered a cyber warfare’s
– Peer-to-Peer Attacks weapon?
– Application Level Attacks – Yes, it can be considered like one.
– Distributed Attacks
– Reflected Attacks • It is just a matter of time to things get
– Level-2 Attacks worse on the Internet.
– Degradation-of-Service Attacks
– DNS Amplifiers Attacks • A DoS can be perpetrated overnight!

• Is DoS and DDoS so 1990’s? • What else?
– Please, don’t be silly, again!!!

An attacker does not even need multiples zombies.

Protocol T50: Five months later... So what?

Protocol T50: Five months later... So what?

More Related Content

What's hot

Viewers also liked

Similar to Protocol T50: Five months later... So what?

More from Nelson Brito

Recently uploaded

Protocol T50: Five months later... So what?