T50 (an Experimental Mixed Packet Injector) new features added to version 5.3 (Chaos Maker).
Check the original demonstration videos:
- https://www.youtube.com/playlist?list=PLda9TmFadx_m2qdd-euUf4zhQ-5juTVEx
For further source codes, please, refer to:
- http://t50.sourceforge.net/
6. Why Denial-of-Service?
• Is there anything more offensive than a • But, what are the real damages? What
DoS, anyways? are the real motivations? Image?
– Bear in mind: DoS means “Stress Revenge? Financial? Political?
Testing” for this presentation. Hacktivism?
• DoS tools are necessary weapons in a • DoS attacks are significantly harmful,
cyber warfare… because they violate one of the three key
concepts of security that are common to
risk management… Which one?
• Attacks against the infrastructure are
more common than many people might – Confidentiality
think, and, when they happen, people – Integrity
will certainly be aware of. – Availability
T50 shows that some sort of performance enhancements, using an
ordinary Linux box and programming in user space, can be done.
7. T50 – The chaos maker
• Primarily, the tool was developed to • This new version is focused on internal
address my day-by-day needs, and I am infrastructure, allowing people to test the
sharing with the community, because I availability of its resources.
always need a tool to perform some “Stress
Testing” and that could be launched from • Interior Gateway Protocols (Distance Vector
my notebook: Algorithm):
– I do not want to carry/rent/buy a Smartbits,
Avalanche, etc. – Routing Information Protocol (RIP).
– Enhanced Interior Gateway Routing Protocol
(EIGRP).
• The tool was designed to perform “Stress
Testing” on a variety of infrastructure
network devices (Version 2.45). • Interior Gateway Protocols (Link State
Algorithm):
– Open Shortest Path First (OSPF).
• The tool was re-designed to extend the
“Stress Testing” (Version 5.3), covering
some regular protocols (ICMP, IGMP, TCP • Quality-of-Service Protocols:
and UDP), some infrastructure specific – Resource ReSerVation Protocol (RSVP).
protocols (GRE, IPSec and RSVP) and
some routing protocols (RIP, EIGRP and • Tunneling/Encapsulation Protocols:
OSPF). – Generic Routing Encapsulation (GRE).
8. T50 – The chaos maker
I did not review any third-party codes…
I found my own way to address some challenges!!!
#define EIGRP_DADDR_LENGTH(foo)
(((foo >> 3) & 3) + (foo % 8 ? 1 : 0))
if(o.eigrp.type == EIGRP_TYPE_SOFTWARE ||
o.eigrp.type == EIGRP_TYPE_MULTICAST) goto eigrp_software;
#define EIGRP_DADDR_BUILD(foo, bar)
(foo &= htonl(~(0xffffffff >> ((bar >> 3) * 8))))
#define TCPOLEN_PADDING(foo)
((foo & 3) ? 4 - (foo & 3) : 0)
10. License
• Licensed under GNU General Public License version 2:
– Any piece of code cannot be integrated into proprietary
applications and appliances.
– There is an alternative license to do so.
• Free software and 100% Open Source:
– You may redistribute and/or modify it under the terms of GPL
version 2.
– Will always be available as an Open Source project to the
community.
• Recruiting new coders, hackers and developers to keep the
project and add new substantial improvements.
11. Classless Inter-Domain Routing (CIDR)
• CIDR specifies an IP address range using a combination of
an IP address and its associated network mask:
– 192.168.1.13/24 – 192.168.1.13/255.255.255.0
– 172.16.0.128/15 – 172.16.0.128/255.254.0.0
– 10.200.200.1/10 – 10.200.200.1/255.192.0.0
• CIDR for destination address is supported:
– Allows to simulate both Distributed Denial-of-Service and
Distributed Reflection Denial-of-Service in a controlled
environment.
– CIDR network mask supported:
• Minimum is “/8” (255.0.0.0).
• Maximum is“/30” (255.255.255.252).
14. Multi-protocol sequential injection
• Version 2.45 (as of November 2010):
– Support for four protocols: ICMP, IGMPv1, TCP and UDP.
– Sends all of them sequentially, i.e., almost on the same time.
• Version 5.3 (as of today):
– Support for the previous four protocols: ICMP, IGMPv11, TCP1 and
UDP.
– Eleven (11) new protocols: IGMPv31, EGP2, RIPv1, RIPv2, DCCP1,
RSVP1, GRE3, IPSec (AH/ESP), EIGRP1 and OSPF1.
– Sends all of them sequentially, i.e., almost on the same time.
1 This protocol can be improved to cover additional advanced options.
2 This protocol demands more development efforts to cover advanced options.
3 Very first tool able to encapsulate the protocols within GRE packets.
18. Checksum optimization
• The version 5.3 introduced a new technique to calculate the
checksum, consequentially, a new technique to build the
packet.
• This technique is MEMCPY(3)-free, and allows to build the
packet byte-by-byte – sometimes bit-by-bit.
• This technique is more flexible, specially when playing with
exotic protocol options – sometimes uses GOTO. For example:
– EIGRP IP Internal Routes TLV destination address.
– EIGRP IP External Routes TLV destination address.
– OSPF HELLO Message with multiple NEIGHBOR addresses.
– RSVP Object SCOPE Class with multiple SCOPE addresses.
– Etc…
38. Protocols
IGMPv3 TCP
• Specific headers for specific types: • Regular TCP options:
– Membership Query. – Source Port and Destination Port, Sequence
Number (also known as ISN), Acknowledgment
– Membership Report. Number, Data Offset, Window, Urgent Pointer
and TCP Flags (FIN, SYN, RST, PSH, ACK, URG,
ECE and CWR).
• Membership Query options:
– Max Resp code.
• Supported TCP Options:
– Group Address.
– End of List (EOL), No Operation (NOP),
– Suppress Router-processing Flag. Maximum Segment Size (MSS), Windows Scale
– Querier’s Robustness Variable (QRV). (WSopt), Timestamp (TSopt), T/TCP Connection
Count (CC, CC.NEW and CC.ECHO), Selective
– Querier’s Query Interval Code (QQIC). Acknowledgement (SACK), MD5 Signature
– Number of Sources. Option and the brand new TCP-AO
– Source Address(es). (Authentication Option – RFC 5925).
• Membership Report options: • TCP Authentication Option (as of June 2010):
– Type (HMAC-MD5).
– Group Record Type. – Key ID.
– Group Record Multicast Address. – Next Key ID.
– Number of Sources. – Authentication Data (RANDOM).
– Source Address(es).
39. Protocols
RIP DCCP
• Regular RIPv1 and RIPv2 options: • Specific headers for specific types:
– Command. – Request Packets
– Address Family Identifier. – Response Packet.
– Router IP Address. – Data Packets
– Router Metric. – Acknowledgment Packet, Data-Ack Packet,
Synchronize Packet, Sync-Ack Packet, Close
Packet and Close Request Packet.
• Enhanced RIPv2 options: – Reset Packet.
– Routing Domain.
– Route Tag.
– Router Network Mask.
• Regular DCCP options:
– Router Next Hop. – Source Port and Destination Port.
– Data Offset.
– HC-Sender CCID (CCVal).
• RIPv2 Cryptographic Authentication: – Checksum Coverage (CsCov).
– Type (HMAC-MD5). – Extended Sequence Numbers (x).
– Key ID. – Sequence Numbers (HIGH and LOW).
– Cryptographic Sequence Number. – Acknowledgment Numbers (HIGH and LOW).
– Authentication Data (RANDOM). – Service Code.
– Reset Code.
40. Exotic protocols
• Regular RSVP options:
– Flags and Time to Live.
RSVP
• Supported RSVP types: • SESSION Class options:
– Path Message. – Destination address, Protocol ID, Flags and
– Resv Message. Destination Port.
– Path Teardown Message.
– Resv Teardown Message. • RSVP_HOP Class options:
– Path Error Message. – IP Next/Previous Hop (Neighbor) Address and
– Resv Error Messages Logical Interface Handle.
– Confirmation Message.
• TIME_VALUES Class options:
• Specific RSVP Objects for specific RSVP type: – Refresh Period (Interval).
– SESSION Class.
– RSVP_HOP Class. • ERROR_SPEC Class options:
– TIME_VALUES Class. – IP Error Node Address, Flags, Error Code and
– ERROR_SPEC Class. Error Value.
– SCOPE Class.
– STYLE Class. • SCOPE Class options:
– SENDER_TEMPLATE Class. – Number of Address and IP Source Address(es).
– SENDER_TSPEC Class.
– ADSPEC Class.
– RESV_CONFIRM Class.
• Etc… Up to 37 command line interface
switches.
41. Exotic protocols
• Regular EIGRP options:
EIGRP – Opcode, Flags, Sequence Number,
Acknowledgment Number, Autonomous System
(AS) , Type and Length.
• Supported EIGRP opcodes:
– Update Message.
– Request Message. • General Parameter TLV options:
– Query Message. – K1, K2, K3, K4 and K5 Values and Hold Time
– Reply Message. (Interval).
– Hello Message.
– Acknowledgment Message.
• Software Version TLV options:
– IOS Release Version and EIGRP Protocol
• Specific EIGRP TLVs for specific EIGRP types: Release Version.
– General Parameter TLV.
– Software Version TLV.
– Sequence TLV. • IP Internal Routes TLV and IP External Routes
– Next Multicast Sequence TLV. TLV options:
– IP Internal Routes TLV. – IP Next Hop Address, Delay, Bandwidth,
– IP External Routes TLV. Maximum Transmission Unit (MTU), Hop Count,
Load, Reliability, IP Source Address(es) and IP
Address Prefix (CIDR).
• EIGRP Cryptographic Authentication:
– Type (HMAC-MD5).
– Key-ID. • Etc… Up to 33 command line interface
– Authentication Data (RANDOM). switches.
42. Exotic protocols
• OSPF Cryptographic Authentication:
OSPF –
–
Type (HMAC-MD5).
Key ID.
• Supported OSPF type: – Cryptographic Sequence Number.
– Hello Packet. – Authentication Data (RANDOM).
– Database Description Packet.
– Query Message Packet.
• Specific LLS Data Block for specific LLS TLV:
– Link State Request Packet.
– Extended Options and Flags TLV.
– Link State Update Packet.
– Cryptographic Authentication TLV.
– Link State Acknowledgment Packet.
• Regular OSPF options:
• Specific LSA Header for specific LSA type:
– Type, Router ID, Area ID and Options (Multi-
– Router LSA Header. Topology or TOS-Based, External Routing
– Network LSA Header. Capability, Multicast Capable, NSSA Supported,
– Summary IP Network LSA Header. LLS Data Block in Contained, Demand Circuits is
– Summary ASBR Header. Supported, Opaque-LSA and Down Bit).
– AS External LSA Header. (ASBR).
– No-so-Stubby Area LSA Header (NSSA). • Etc… Up to 54 command line interface
– Group Membership LSA Header (Multicast). switches.
48. Conclusions
• Can be applied to any DoS: • Can be considered a cyber warfare’s
– Peer-to-Peer Attacks weapon?
– Application Level Attacks – Yes, it can be considered like one.
– Distributed Attacks
– Reflected Attacks • It is just a matter of time to things get
– Level-2 Attacks worse on the Internet.
– Degradation-of-Service Attacks
– DNS Amplifiers Attacks • A DoS can be perpetrated overnight!
• Is DoS and DDoS so 1990’s? • What else?
– Please, don’t be silly, again!!!
An attacker does not even need multiples zombies.