[22007] in bugtraq
Re: ARPNuke - 80 kb/s kills a whole subnet
daemon@ATHENA.MIT.EDU (Raptor)
Mon Jul 30 15:21:00 2001
Date: Mon, 30 Jul 2001 19:55:45 +0200 (CEST)
From: Raptor <raptor@0xdeadbeef.eu.org>
To: <bugtraq@securityfocus.com>
In-Reply-To: <3B651DF6.B09F7F4B@starzetz.de>
Message-ID: <Pine.LNX.4.30.0107301951530.246-100000@hacaro.rewt.mil>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: 8bit
Obviously you need to be in the local ethernet segment to accomplish an
attack like that. I wrote a similar tool a couple of years ago, called
havoc. It can be downloaded from http://packetstormsecurity.org/DoS/havoc-0.1c.tgz
and can be easily modified to suit your particular needs.
Cheers,
:raptor
On Mon, 30 Jul 2001, Paul Starzetz wrote:
> There is an ARP table handling bug in Microsoft Windows protocoll
> stacks. It seems that the arp handling code uses some inefficient data
> structure (maybe a simple linear table?) to manage the ARP entries.
> Sending a huge amount of ´random´ (that is random source IP and
> arbitrary MAC) ARP packets results in 100% CPU utilization and a machine
> lock up. The machine wakes up after the packets stream has been stopped.
>
> The needed traffic is not really high: the attached ARPkill code will
> send an initial sequence of about 10000 ARP packets, then go to ´burst
> mode´ sending definable short burst of random ARP packets every 10 msec.
> The lockup occured at about 80kb/sec (seq about 45) on a PII/350.
>
> Even worse: it seems that is possible to kill a whole subnet using
> broadcast destination MAC (that is ff:ff:ff:ff:ff:ff) and arbitrary
> source IP.
Antifork Research, Inc. @ Mediaservice.net Srl
http://www.0xdeadbeef.eu.org http://www.mediaservice.net
