The T-Shirts are here

Buy books online here
SCROOMtimes
Volume 4, Number 6
June, 1999

Tales of the Geek Lord
Throwing a net.tantrum

by Pelican Smith



The glory days of hacking have ended. Once upon a time, clever amateurs roamed the Internet taking down The Man - scoring free long distance, r00ting gov servers, phreaking and cracking and hacking. But the landscape has changed. More than ever, there is money to be made on the Internet. More than ever, people are working to protect their investments in the Internet. Not to say big business doesn't still get hacked all to hell - but it's gotten a lot harder. The stakes are higher. Hacking has turned pro.

Which leaves the script kiddies, those seeking vengeance, and the plain bored looking for something to pass the time. How do I make an impact on the 'Net?

The Internet is a castle made of sand. We all live in it. It was never made for this. It's central infrastructure, it's protocols, it's hardware and software, was never constructed to withstand the pounding from over 8 million full time nodes, and more users than can realistically be counted.

So it is easy - it is painfully easy - to wreak havoc, to disrupt and destroy, to throw a net.tantrum. It's called a DoS - Denial of Service attack. I don't like you. You insulted me, or your company made a product that is better than mine, or I heard from a friend that you don't like cats, so I want to hurt your business. Simple, just launch a fraggle, smurf, pepsi, boink, bonk, teardrop, ping of death, or winnuke at your servers. See ya, wouldn't want to be ya.

The tools have stupid names, but the results are not frivolous. They can, and do, cost companies millions of dollars in measurable downtime and data loss. Perhaps there is elegance in the simplicity of the attacks, if art can be found in breaking things, but the complications, moral and ethical and structural and personal, extend beyond the act itself - why, just like art.

Before I start talking about the attacks, let me refresh you on the basics. Real fast now, don't worry, I won't geek out on you too much. We all talk on the Internet using the Internet Protocol (IP). On top of IP, we use either the Transmission Control Protocol (TCP/IP), or the User Datagram Protocol (UDP/IP). Both have similar parts, namely, they identify:

  1. The host that the data is going to (Destination Address)
  2. The host that the data came from (Source Address)
  3. The port that the data is going to (WWW, email, FTP, etc)

Remember that I said they identify. They don't authenticate. They do not prove that the packet you receive came from where it says it did. When I send you a web page that looks like it came from Microsoft, that's known as spoofing. Happens all the time. You never find out who actually sent you the web page. If you aren't careful, you never notice that the page isn't legitimate. Sucks to be you.

  • Teardrop: An attacker sends you a packet that is just the right size that it must be broken into two fragments. One of the fragments is too small. Your computer sits and waits for a correct size packet. Your computer starts overwriting it's own memory and crashes. If you are running a Windows system, you get the groovy and popular Blue Screen of Death Haiku anyone?
  • Bonk and Boink: They do the opposite of Teardrop. They send you a packet that gets fragmented, with one fragment being too large. Blue Screen of Death again. Cycle power, reboot, BSOD, ad nauseum.
  • Ping of Death: An exploit that was originally ran from Windows computers. Ping is normally a small packet sent out to the Internet to discover if a computer is up and running. Nobody said it had to be small though. In fact, Windows computers let you send out a packet that was way too large. Caused many Unix servers to roll over and die. Au revoir, web server.
  • Land: Ooh, ooh, ooh. What if, say, I sent a packet to a port on your computer that makes it look like it came from that same port on your computer. Your computer could then open a transmission control block (chunk of it's mighty, digital brain) to communicate with - Itself! Instant freak out. Computer says gaaarrr, then dies.
  • SYN Flooding: For my computer to talk to your computer, I send you a TCP/IP packet with the Synchronize (SYN) bit set. You send me back a packet with the Synchronize/Acknowledgement (SYNACK) bit set, then I send you a plain old acknowledgement (ACK). It's called the three way handshake, and is fundamental to setting up reliable communications in the Internet. If I send out SYN packets with the source address spoofed to be some computer that is not actually running anywhere on the Internet, then your computer send the SYNACK out and waits for the ACK to come back. And waits, and waits. The SYNACK eventually gets swallowed by a router out there somewhere. If I send a good eight thousand SYN packets to port 25 on your computer, you don't get any more email. If I send them to port 80, you don't deliver any more web pages. If I know you are running a telnet session from Host B, I can SYN flood host B to shut it up for a while, then, gosh I'm clever, I can send you packets that look like they came from Host B. Maybe in those packets I tell you to let the whole world in without asking for a password. That's called session hijacking. Are you breathing hard?
  • Smurf and Fraggle: Lets say there is some computer out there who's IP address is 10.1.1.1. The network it rides on is more than likely identified as 10.1.1.0. There can be up to 254 computers on the 10.1.1.0 network, and if you want to send information to all of them, you send it to the network broadcast address, which is 10.1.1.255. In that case, every computer on the network will send you a reply. Now, if I don't like you, I spoof some ping or UDP packets so that they look like they came from you, and they are going to several broadcast addresses. In other words, I send out one small packet, and you wind up receiving 254 packets you never asked for. If I really pump them out, you wind up receiving so much garbage that your connection slows to a grind. This is knows as a network meltdown. It has no odor, no taste, but sounds like this - "Hey, why is the Internet so slow?"
  • WinNuke: If you are telnetted to another computer, and you suddenly type in Control-C, the telnet application knows what to do. It sends out a packet with the push bit (PSH) set. The other computer sees this packet and stops whatever it was doing to give you back your prompt. This is known as Out Of Band (OOB) data. With telnet, it's cool. But if you are on a Windows computer, you are using a protocol hook known as NetBIOS (it's what puts all those computers in your Network Neighborhood). Netbios never expected OOB data. It receives a packet with the PSH bit set, and it freaks. Due to the mysterious nature of luck, this usually happens while you are typing up a two page document that you haven't saved yet.

OK, I explained how these things work. If you aren't quite sure how to write a program that will build these packets, have no fear. There are plenty of places out there on the Internet that will provide you with an easy to run program that will do it for you. Just download, install, and run, run, run.

And who wrote these programs? Some of them are criminals. A very few are old school hackers who miss the glory days. Most of them are people who, as coincidence has it, provide some product that will protect you against the script that they wrote. If 12 year olds the world over are running their script against you, then maybe you will buy the product to protect yourself.

I told you. The landscape has changed. Hacking has turned pro.

5 Links To Make You Think
  1. The China Matrix
  2. The Artchive
  3. Christy's Garden of History
  4. ISS's X-Force
  5. People for the Ethical Treatment of Software
[an error occurred while processing this directive]