if there is a firewall, you could overload the firewall that tries to return your packets. Nothing more
dos attack/syn flood question
This is going to sound really nubbish, but this is the newbie forum...
If one scan's a host (say with nmap) and there are no results, ie no ports open at all (its a router). Does that mean a dos attack or syn flood cannot be launched agianst that router/host?
thanks !
if there is a firewall, you could overload the firewall that tries to return your packets. Nothing more
SYN floods need to have a listening TCP port on the target, or a firewall that is keeping track of TCP connections, so that they can fill the state table.
There are other DOS types however.
Saturating a hosts link with traffic will work regardless of whether the host itself has any listening ports or not. If the host is routing traffic or performing some other sort of processing of the traffic (e.g. its performing some filtering) then you can overwhelm its available resources by sending it more traffic than it can process.
Also keep in mind that nmap scan results are not always 100% reliable (it doesn't scan all TCP ports by default, replies could be lost or filtered etc), so a nmap scan stating that no ports are open does not mean that no ports are listening.
Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".
The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.
Lupin hit the nail on the head here.Originally Posted by lupin
Some time ago my datacenter that I worked at was the victim of a massive SYN flood. The firewalls could stop that without a problem. However, the sheer volume of traffic saturated our OC3 line and the upstream Cisco routers from our bandwith provider began to collapse.
It was not the type of packet that was the problem, but the volume.
(After that happened my employer took my advice and decided to stop hosting IRC servers at our datacenter).
Would something like this work, provided many windows were opened, and the source connection is better than the destination?
@echo off
set ip=0.0.0.0
set size=65500
set timeout=1
start ping %ip% -l %size% -t
start ping %ip% -l %size% -t
start ping %ip% -l %size% -t
start ping %ip% -l %size% -t
start ping %ip% -l %size% -t
start ping %ip% -l %size% -t
start ping %ip% -l %size% -t
start ping %ip% -l %size% -t
+more
I don't know that pings to 0.0.0.0 will work very well. They don't leave the network card on the Vista box Im writing this from. The majority of routers wouldn't forward packets addressed to 0.0.0.0 either.
When you say "Would something like this work" do you mean would this cause a DOS attack on a system?
Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".
The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.
Smurf Attacks or DNS Amplification Attacks. Go look them up.
The above is just a PoD (Ping of Death) which most systems isn't vulnerable to now.
If it should be and it's a pain, just disable ICMP Echo on the target machine.
But as said above, Syn floods no. There's many ways to DoS but i'm not gonna spoonfeed about this topic..
[quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]
A ping of death needs to exceed the maximum length of an IP packet (65,535 bytes) and it needs to reach the target system to work (so no sending to 0.0.0.0). That command isn't a ping of death, its really closer to a ping flood, although again, sending to 0.0.0.0 will be a problem.
http://en.wikipedia.org/wiki/Ping_of_death
http://insecure.org/sploits/ping-o-death.html
Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".
The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.
well i meant 0.0.0.0 to signify target ip :P
yeah, what im asking is would something like this be able to effect a router ? (not some big server in a datacenter) but an isp client
thanks for clearing these things up for me guy, it was very helpful
So basically you want advice on how to DOS a home Internet user?
Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".
The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.
Posting Permissions