SlideShare une entreprise Scribd logo

Protocol T50: Five months later... So what?

Nelson Brito
Nelson Brito

T50 (an Experimental Mixed Packet Injector) new features added to version 5.3 (Chaos Maker). Check the original demonstration videos: - https://www.youtube.com/playlist?list=PLda9TmFadx_m2qdd-euUf4zhQ-5juTVEx For further source codes, please, refer to: - http://t50.sourceforge.net/

Technologie
1  sur  51
Protocol T50 “Five months later... So what?”
Agenda • 0000 – Once upon a time… • 0100 – Comparison • 0001 – Introduction • 0101 – Demonstration • 0010 – Improvements • 0110 – Conclusions • 0011 – Protocols • 0111 – Questions and Answers
0000 – Once upon a time…
Denial-of-Service
0001 – Introduction
Why Denial-of-Service? • Is there anything more offensive than a • But, what are the real damages? What DoS, anyways? are the real motivations? Image? – Bear in mind: DoS means “Stress Revenge? Financial? Political? Testing” for this presentation. Hacktivism? • DoS tools are necessary weapons in a • DoS attacks are significantly harmful, cyber warfare… because they violate one of the three key concepts of security that are common to risk management… Which one? • Attacks against the infrastructure are more common than many people might – Confidentiality think, and, when they happen, people – Integrity will certainly be aware of. – Availability T50 shows that some sort of performance enhancements, using an ordinary Linux box and programming in user space, can be done.
T50 – The chaos maker • Primarily, the tool was developed to • This new version is focused on internal address my day-by-day needs, and I am infrastructure, allowing people to test the sharing with the community, because I availability of its resources. always need a tool to perform some “Stress Testing” and that could be launched from • Interior Gateway Protocols (Distance Vector my notebook: Algorithm): – I do not want to carry/rent/buy a Smartbits, Avalanche, etc. – Routing Information Protocol (RIP). – Enhanced Interior Gateway Routing Protocol (EIGRP). • The tool was designed to perform “Stress Testing” on a variety of infrastructure network devices (Version 2.45). • Interior Gateway Protocols (Link State Algorithm): – Open Shortest Path First (OSPF). • The tool was re-designed to extend the “Stress Testing” (Version 5.3), covering some regular protocols (ICMP, IGMP, TCP • Quality-of-Service Protocols: and UDP), some infrastructure specific – Resource ReSerVation Protocol (RSVP). protocols (GRE, IPSec and RSVP) and some routing protocols (RIP, EIGRP and • Tunneling/Encapsulation Protocols: OSPF). – Generic Routing Encapsulation (GRE).
T50 – The chaos maker I did not review any third-party codes… I found my own way to address some challenges!!! #define EIGRP_DADDR_LENGTH(foo) (((foo >> 3) & 3) + (foo % 8 ? 1 : 0)) if(o.eigrp.type == EIGRP_TYPE_SOFTWARE || o.eigrp.type == EIGRP_TYPE_MULTICAST) goto eigrp_software; #define EIGRP_DADDR_BUILD(foo, bar) (foo &= htonl(~(0xffffffff >> ((bar >> 3) * 8)))) #define TCPOLEN_PADDING(foo) ((foo & 3) ? 4 - (foo & 3) : 0)
0010 – Improvements Also known as “New Features”
License • Licensed under GNU General Public License version 2: – Any piece of code cannot be integrated into proprietary applications and appliances. – There is an alternative license to do so. • Free software and 100% Open Source: – You may redistribute and/or modify it under the terms of GPL version 2. – Will always be available as an Open Source project to the community. • Recruiting new coders, hackers and developers to keep the project and add new substantial improvements.
Classless Inter-Domain Routing (CIDR) • CIDR specifies an IP address range using a combination of an IP address and its associated network mask: – 192.168.1.13/24 – 192.168.1.13/255.255.255.0 – 172.16.0.128/15 – 172.16.0.128/255.254.0.0 – 10.200.200.1/10 – 10.200.200.1/255.192.0.0 • CIDR for destination address is supported: – Allows to simulate both Distributed Denial-of-Service and Distributed Reflection Denial-of-Service in a controlled environment. – CIDR network mask supported: • Minimum is “/8” (255.0.0.0). • Maximum is“/30” (255.255.255.252).
Classless Inter-Domain Routing (CIDR) unsigned int hostid = 0, counter = 0, rand_addr = 0; in_addr_t netmask = INADDR_ANY, all_bits_on = 0xffffffff, __1st_addr = INADDR_ANY, addresses[16777214] = INADDR_ANY; struct iphdr *ip; netmask = ~(all_bits_on >> bits); hostid = (unsigned int) (pow(2, (32 - bits)) - 2); __1st_addr = (ntohl(address) & netmask) + 1; [...] for(counter = 0 ; counter < hostid ; counter++) addresses[counter] = htonl(__1st_addr++); [...] rand_daddr = (unsigned int) ((float)(hostid) * rand() / (RAND_MAX + 1.0)); ip->daddr = addresses[rand_daddr]; [...]
Classless Inter-Domain Routing (CIDR) 192.168.1.13 /24 192.168.1.13 /255.255.255.0 0xffffffff 11111111.11111111.11111111.11111111 0x000000ff 00000000.00000000.00000000.11111111 0xffffff00 11111111.11111111.11111111.00000000 0xc0a8010d 11000000.10101000.00000001.00001101 & 0xffffff00 11111111.11111111.11111111.00000000 0xc0a80100 11000000.10101000.00000001.00000000 NETWORK HOST (2(32-24))-2 = (28)-2 = 256-2 = 254
Multi-protocol sequential injection • Version 2.45 (as of November 2010): – Support for four protocols: ICMP, IGMPv1, TCP and UDP. – Sends all of them sequentially, i.e., almost on the same time. • Version 5.3 (as of today): – Support for the previous four protocols: ICMP, IGMPv11, TCP1 and UDP. – Eleven (11) new protocols: IGMPv31, EGP2, RIPv1, RIPv2, DCCP1, RSVP1, GRE3, IPSec (AH/ESP), EIGRP1 and OSPF1. – Sends all of them sequentially, i.e., almost on the same time. 1 This protocol can be improved to cover additional advanced options. 2 This protocol demands more development efforts to cover advanced options. 3 Very first tool able to encapsulate the protocols within GRE packets.
Multi-protocol sequential injection socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) exit(EXIT_FAILURE); if(setsockopt(fd, IPPROTO_IP, IP_HDRINCL, nptr, sizeof(n)) < 0) exit(EXIT_FAILURE); [...]
Multi-protocol sequential injection struct t50{ int proto; void(*raw)(int, struct options); }; [...] while(flood || threshold--){ [...] if(protocol != IPPROTO_T50){ [...] }else{ for(module = 0 ; module < modules ; module++){ protocol = t50[module].proto; t50[module].raw(fd, options); } threshold -= (modules-1); protocol = IPPROTO_T50; } [...]
Multi-protocol sequential injection
Checksum optimization • The version 5.3 introduced a new technique to calculate the checksum, consequentially, a new technique to build the packet. • This technique is MEMCPY(3)-free, and allows to build the packet byte-by-byte – sometimes bit-by-bit. • This technique is more flexible, specially when playing with exotic protocol options – sometimes uses GOTO. For example: – EIGRP IP Internal Routes TLV destination address. – EIGRP IP External Routes TLV destination address. – OSPF HELLO Message with multiple NEIGHBOR addresses. – RSVP Object SCOPE Class with multiple SCOPE addresses. – Etc…
Checksum optimization unsigned int offset = 0; unsigned char packet[packet_size], * checksum = NULL; struct eigrp_hdr * eigrp; [...] offset = sizeof(struct eigrp_hdr); checksum = (unsigned char *)eigrp + offset; *((unsigned short *)checksum) = htons(length); checksum += sizeof(unsigned short); offset += sizeof(usigned short); *((usigned int *)checksum) = htonl(auth_key_id)); checksum += sizeof(unsigned int); offset += sizeof(usigned int); [...] eigrp->check = cksum((u_int16_t *)eigrp, offset); [...]
Checksum optimization
Checksum optimization packet_size = sizeof(ip) + sizeof(eigrp) + eigrp_hdr_len();
Checksum optimization
Checksum optimization 1st step packet ↓
Checksum optimization 1st step packet ↓
packet 1st step ↓ packet 2nd step ↓ Checksum optimization
packet 1st step ↓ packet 2nd step ↓ Checksum optimization
packet 1st step ↓ packet 2nd step ↓ Checksum optimization
packet 1st step ↓ packet 2nd step ↓ Checksum optimization
packet 1st step ↓ packet 2nd step ↓ Checksum optimization
packet 1st step ↓ packet 2nd step ↓ Checksum optimization
packet 1st step ↓ packet 2nd step ↓ Checksum optimization
Checksum optimization 1st step packet eigrp_hdr_len() ↓ 2nd step packet ↓
packet 1st step ↓ packet 2nd step ↓ Checksum optimization offset
packet 1st step ↓ packet 2nd step ↓ Checksum optimization
Checksum optimization
RFC 1700, 1918 and 3330 improvements [...] switch(ntohl(daddr) & 0xff000000){ case 0x0a000000: /* Allowing 10/8 (RFC 1918). */ break; case 0x7f000000: /* Allowing 127/8 (RFC 1700). */ break; case 0xa9000000: /* Allowing 169.254/16 (RFC 3330). */ if(((ntohl(daddr) & 0xffff0000) != 0xa9fe00000)) return(FALSE); break; case 0xac000000: /* Allowing 172.16/12 (RFC 1918). */ if(((ntohl(daddr) & 0xffff0000) < 0xac100000) || ((ntohl(daddr) & 0xffff0000) > 0xac1f0000)) return(FALSE); break; case 0xc0000000: /* Allowing 192.168/16 (RFC 1918). */ if((ntohl(daddr) & 0xffff0000) != 0xc0a80000) return(FALSE); break; [...]
0011 – Protocols
Protocols IGMPv3 TCP • Specific headers for specific types: • Regular TCP options: – Membership Query. – Source Port and Destination Port, Sequence Number (also known as ISN), Acknowledgment – Membership Report. Number, Data Offset, Window, Urgent Pointer and TCP Flags (FIN, SYN, RST, PSH, ACK, URG, ECE and CWR). • Membership Query options: – Max Resp code. • Supported TCP Options: – Group Address. – End of List (EOL), No Operation (NOP), – Suppress Router-processing Flag. Maximum Segment Size (MSS), Windows Scale – Querier’s Robustness Variable (QRV). (WSopt), Timestamp (TSopt), T/TCP Connection Count (CC, CC.NEW and CC.ECHO), Selective – Querier’s Query Interval Code (QQIC). Acknowledgement (SACK), MD5 Signature – Number of Sources. Option and the brand new TCP-AO – Source Address(es). (Authentication Option – RFC 5925). • Membership Report options: • TCP Authentication Option (as of June 2010): – Type (HMAC-MD5). – Group Record Type. – Key ID. – Group Record Multicast Address. – Next Key ID. – Number of Sources. – Authentication Data (RANDOM). – Source Address(es).
Protocols RIP DCCP • Regular RIPv1 and RIPv2 options: • Specific headers for specific types: – Command. – Request Packets – Address Family Identifier. – Response Packet. – Router IP Address. – Data Packets – Router Metric. – Acknowledgment Packet, Data-Ack Packet, Synchronize Packet, Sync-Ack Packet, Close Packet and Close Request Packet. • Enhanced RIPv2 options: – Reset Packet. – Routing Domain. – Route Tag. – Router Network Mask. • Regular DCCP options: – Router Next Hop. – Source Port and Destination Port. – Data Offset. – HC-Sender CCID (CCVal). • RIPv2 Cryptographic Authentication: – Checksum Coverage (CsCov). – Type (HMAC-MD5). – Extended Sequence Numbers (x). – Key ID. – Sequence Numbers (HIGH and LOW). – Cryptographic Sequence Number. – Acknowledgment Numbers (HIGH and LOW). – Authentication Data (RANDOM). – Service Code. – Reset Code.
Exotic protocols • Regular RSVP options: – Flags and Time to Live. RSVP • Supported RSVP types: • SESSION Class options: – Path Message. – Destination address, Protocol ID, Flags and – Resv Message. Destination Port. – Path Teardown Message. – Resv Teardown Message. • RSVP_HOP Class options: – Path Error Message. – IP Next/Previous Hop (Neighbor) Address and – Resv Error Messages Logical Interface Handle. – Confirmation Message. • TIME_VALUES Class options: • Specific RSVP Objects for specific RSVP type: – Refresh Period (Interval). – SESSION Class. – RSVP_HOP Class. • ERROR_SPEC Class options: – TIME_VALUES Class. – IP Error Node Address, Flags, Error Code and – ERROR_SPEC Class. Error Value. – SCOPE Class. – STYLE Class. • SCOPE Class options: – SENDER_TEMPLATE Class. – Number of Address and IP Source Address(es). – SENDER_TSPEC Class. – ADSPEC Class. – RESV_CONFIRM Class. • Etc… Up to 37 command line interface switches.
Exotic protocols • Regular EIGRP options: EIGRP – Opcode, Flags, Sequence Number, Acknowledgment Number, Autonomous System (AS) , Type and Length. • Supported EIGRP opcodes: – Update Message. – Request Message. • General Parameter TLV options: – Query Message. – K1, K2, K3, K4 and K5 Values and Hold Time – Reply Message. (Interval). – Hello Message. – Acknowledgment Message. • Software Version TLV options: – IOS Release Version and EIGRP Protocol • Specific EIGRP TLVs for specific EIGRP types: Release Version. – General Parameter TLV. – Software Version TLV. – Sequence TLV. • IP Internal Routes TLV and IP External Routes – Next Multicast Sequence TLV. TLV options: – IP Internal Routes TLV. – IP Next Hop Address, Delay, Bandwidth, – IP External Routes TLV. Maximum Transmission Unit (MTU), Hop Count, Load, Reliability, IP Source Address(es) and IP Address Prefix (CIDR). • EIGRP Cryptographic Authentication: – Type (HMAC-MD5). – Key-ID. • Etc… Up to 33 command line interface – Authentication Data (RANDOM). switches.
Exotic protocols • OSPF Cryptographic Authentication: OSPF – – Type (HMAC-MD5). Key ID. • Supported OSPF type: – Cryptographic Sequence Number. – Hello Packet. – Authentication Data (RANDOM). – Database Description Packet. – Query Message Packet. • Specific LLS Data Block for specific LLS TLV: – Link State Request Packet. – Extended Options and Flags TLV. – Link State Update Packet. – Cryptographic Authentication TLV. – Link State Acknowledgment Packet. • Regular OSPF options: • Specific LSA Header for specific LSA type: – Type, Router ID, Area ID and Options (Multi- – Router LSA Header. Topology or TOS-Based, External Routing – Network LSA Header. Capability, Multicast Capable, NSSA Supported, – Summary IP Network LSA Header. LLS Data Block in Contained, Demand Circuits is – Summary ASBR Header. Supported, Opaque-LSA and Down Bit). – AS External LSA Header. (ASBR). – No-so-Stubby Area LSA Header (NSSA). • Etc… Up to 54 command line interface – Group Membership LSA Header (Multicast). switches.
0100 – Comparison
Methodology
0101 – Demonstration
T50: an Experimental Mixed Packet Injector Dell Latitude E6400 Dell Latitude D620 • Intel® Core™ 2 Duo P8400 (2.26 GHz) • Intel® Core™ Duo T5600 (1.83 GHz) • Memory 4GB RAM • Memory 2GB RAM • Ubuntu Desktop Linux 10.04 64-bit • Microsoft Windows 7 32-bit • Intel® 82567LM Gigabit Controller • Broadcom NetXtreme 57xx Gigabit Controller • 1 Gbps Network • 1 Gbps Network • Cross-over Cable (CAT-5e) • Cross-over Cable (CAT-5e) Video http://fnstenv.blogspot.com/ Code
0110 – Conclusions
Conclusions • Can be applied to any DoS: • Can be considered a cyber warfare’s – Peer-to-Peer Attacks weapon? – Application Level Attacks – Yes, it can be considered like one. – Distributed Attacks – Reflected Attacks • It is just a matter of time to things get – Level-2 Attacks worse on the Internet. – Degradation-of-Service Attacks – DNS Amplifiers Attacks • A DoS can be perpetrated overnight! • Is DoS and DDoS so 1990’s? • What else? – Please, don’t be silly, again!!! An attacker does not even need multiples zombies.
0111 – Questions & Answers
Any questions?
Protocol T50: Five months later... So what?

Recommandé

[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
The hangover: A "modern" (?) high performance approach to build an offensive ...
The hangover: A "modern" (?) high performance approach to build an offensive ...The hangover: A "modern" (?) high performance approach to build an offensive ...
The hangover: A "modern" (?) high performance approach to build an offensive ...Nelson Brito
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!Nelson Brito
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session iMalachi Jones
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomnessAleksandr Yampolskiy
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 

Recommandé

[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
The hangover: A "modern" (?) high performance approach to build an offensive ...
The hangover: A "modern" (?) high performance approach to build an offensive ...The hangover: A "modern" (?) high performance approach to build an offensive ...
The hangover: A "modern" (?) high performance approach to build an offensive ...Nelson Brito
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!Nelson Brito
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session iMalachi Jones
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomnessAleksandr Yampolskiy
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityAdaCore
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryptionMizi Mohamad
 
Where destructors meet threads
Where destructors meet threadsWhere destructors meet threads
Where destructors meet threadsShuo Chen
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developerssluge
 
Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...
Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...
Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...yaevents
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
David-FPGA
David-FPGADavid-FPGA
David-FPGAguest66dc5f
 
Tools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidTools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidIntel® Software
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyInsight Technology, Inc.
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsPawel Rzepa
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Nelson Brito
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesMarcelo Martins
 

Contenu connexe

Tendances

john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityAdaCore
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryptionMizi Mohamad
 
Where destructors meet threads
Where destructors meet threadsWhere destructors meet threads
Where destructors meet threadsShuo Chen
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developerssluge
 
Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...
Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...
Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...yaevents
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Tools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidTools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidIntel® Software
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsPawel Rzepa
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 

Tendances (20)

john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and Security
 
Slide cipher based encryption
Slide cipher based encryptionSlide cipher based encryption
Slide cipher based encryption
 
Where destructors meet threads
Where destructors meet threadsWhere destructors meet threads
Where destructors meet threads
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developers
 
Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...
Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...
Как мы охотимся на гонки (data races) или «найди багу до того, как она нашла ...
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
 
David-FPGA
David-FPGADavid-FPGA
David-FPGA
 
Tools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidTools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in Android
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugs
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 

En vedette

Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Nelson Brito
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesMarcelo Martins
 
Microsoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityMicrosoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityAshish Malik
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Marcelo Martins
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterStefan Esser
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Nelson Brito
 
Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Project Student
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Nelson Brito
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)Nelson Brito
 
Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented ProgrammingNelson Brito
 
The Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyThe Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyNelson Brito
 
Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Project Student
 
Changes in working practices
Changes in working practicesChanges in working practices
Changes in working practicesProject Student
 
Programming Languages / Translators
Programming Languages / TranslatorsProgramming Languages / Translators
Programming Languages / TranslatorsProject Student
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Project Student
 

En vedette (20)

Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!Permutation Oriented Programming: (Re)searching for alternatives!
Permutation Oriented Programming: (Re)searching for alternatives!
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e Vulnerabilidades
 
Microsoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow VulnerabilityMicrosoft GDI+ JPEG Integer Underflow Vulnerability
Microsoft GDI+ JPEG Integer Underflow Vulnerability
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-InterpreterSyScan Singapore 2010 - Returning Into The PHP-Interpreter
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!
 
Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)Hexadecimal (Calculations and Explanations)
Hexadecimal (Calculations and Explanations)
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
 
Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented Programming
 
The Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyThe Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The Philosophy
 
Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)Workforce Planning (Process, Labour Shortage, Excess Labour)
Workforce Planning (Process, Labour Shortage, Excess Labour)
 
Changes in working practices
Changes in working practicesChanges in working practices
Changes in working practices
 
Programming Languages / Translators
Programming Languages / TranslatorsProgramming Languages / Translators
Programming Languages / Translators
 
FormacaoCrypto
FormacaoCryptoFormacaoCrypto
FormacaoCrypto
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
The Caesar Cipher
The Caesar Cipher The Caesar Cipher
The Caesar Cipher
 
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 

Similaire à Protocol T50: Five months later... So what?

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Puppet
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Joel W. King
 
How to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveHow to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveAmiq Consulting
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...aaajjj4
 
Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Itzik Kotler
 
TestowanieIoT2016
TestowanieIoT2016TestowanieIoT2016
TestowanieIoT2016kraqa
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Yongyoon Shin
 
Week1 Electronic System-level ESL Design and SystemC Begin
Week1 Electronic System-level ESL Design and SystemC BeginWeek1 Electronic System-level ESL Design and SystemC Begin
Week1 Electronic System-level ESL Design and SystemC Begin敬倫 林
 
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixJVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixCodemotion Tel Aviv
 

Similaire à Protocol T50: Five months later... So what? (20)

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
How to Connect SystemVerilog with Octave
How to Connect SystemVerilog with OctaveHow to Connect SystemVerilog with Octave
How to Connect SystemVerilog with Octave
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)
 
TestowanieIoT2016
TestowanieIoT2016TestowanieIoT2016
TestowanieIoT2016
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
Week1 Electronic System-level ESL Design and SystemC Begin
Week1 Electronic System-level ESL Design and SystemC BeginWeek1 Electronic System-level ESL Design and SystemC Begin
Week1 Electronic System-level ESL Design and SystemC Begin
 
Rsockets ofa12
Rsockets ofa12Rsockets ofa12
Rsockets ofa12
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixJVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, Wix
 
snort.ppt
snort.pptsnort.ppt
snort.ppt
 

Plus de Nelson Brito

Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerNelson Brito
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Inception: Support Slides
Inception: Support SlidesInception: Support Slides
Inception: Support SlidesNelson Brito
 
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)Nelson Brito
 
Keynote: Where is my identity?
Keynote: Where is my identity?Keynote: Where is my identity?
Keynote: Where is my identity?Nelson Brito
 
Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Nelson Brito
 
Inception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryInception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryNelson Brito
 
Worms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seWorms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seNelson Brito
 

Plus de Nelson Brito (8)

Próximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB ScannerPróximo passo evolutivo de um DB Scanner
Próximo passo evolutivo de um DB Scanner
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Inception: Support Slides
Inception: Support SlidesInception: Support Slides
Inception: Support Slides
 
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
 
Keynote: Where is my identity?
Keynote: Where is my identity?Keynote: Where is my identity?
Keynote: Where is my identity?
 
Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"Worms 2.0: Evolution — From SyFy to "You Die"
Worms 2.0: Evolution — From SyFy to "You Die"
 
Inception: A reverse-engineer horror History
Inception: A reverse-engineer horror HistoryInception: A reverse-engineer horror History
Inception: A reverse-engineer horror History
 
Worms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-seWorms: Conheça o inimigo e defenda-se
Worms: Conheça o inimigo e defenda-se
 

Dernier

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Dernier (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Protocol T50: Five months later... So what?

  • 1. Protocol T50 “Five months later... So what?”
  • 2. Agenda • 0000 – Once upon a time… • 0100 – Comparison • 0001 – Introduction • 0101 – Demonstration • 0010 – Improvements • 0110 – Conclusions • 0011 – Protocols • 0111 – Questions and Answers
  • 3. 0000 – Once upon a time…
  • 6. Why Denial-of-Service? • Is there anything more offensive than a • But, what are the real damages? What DoS, anyways? are the real motivations? Image? – Bear in mind: DoS means “Stress Revenge? Financial? Political? Testing” for this presentation. Hacktivism? • DoS tools are necessary weapons in a • DoS attacks are significantly harmful, cyber warfare… because they violate one of the three key concepts of security that are common to risk management… Which one? • Attacks against the infrastructure are more common than many people might – Confidentiality think, and, when they happen, people – Integrity will certainly be aware of. – Availability T50 shows that some sort of performance enhancements, using an ordinary Linux box and programming in user space, can be done.
  • 7. T50 – The chaos maker • Primarily, the tool was developed to • This new version is focused on internal address my day-by-day needs, and I am infrastructure, allowing people to test the sharing with the community, because I availability of its resources. always need a tool to perform some “Stress Testing” and that could be launched from • Interior Gateway Protocols (Distance Vector my notebook: Algorithm): – I do not want to carry/rent/buy a Smartbits, Avalanche, etc. – Routing Information Protocol (RIP). – Enhanced Interior Gateway Routing Protocol (EIGRP). • The tool was designed to perform “Stress Testing” on a variety of infrastructure network devices (Version 2.45). • Interior Gateway Protocols (Link State Algorithm): – Open Shortest Path First (OSPF). • The tool was re-designed to extend the “Stress Testing” (Version 5.3), covering some regular protocols (ICMP, IGMP, TCP • Quality-of-Service Protocols: and UDP), some infrastructure specific – Resource ReSerVation Protocol (RSVP). protocols (GRE, IPSec and RSVP) and some routing protocols (RIP, EIGRP and • Tunneling/Encapsulation Protocols: OSPF). – Generic Routing Encapsulation (GRE).
  • 8. T50 – The chaos maker I did not review any third-party codes… I found my own way to address some challenges!!! #define EIGRP_DADDR_LENGTH(foo) (((foo >> 3) & 3) + (foo % 8 ? 1 : 0)) if(o.eigrp.type == EIGRP_TYPE_SOFTWARE || o.eigrp.type == EIGRP_TYPE_MULTICAST) goto eigrp_software; #define EIGRP_DADDR_BUILD(foo, bar) (foo &= htonl(~(0xffffffff >> ((bar >> 3) * 8)))) #define TCPOLEN_PADDING(foo) ((foo & 3) ? 4 - (foo & 3) : 0)
  • 9. 0010 – Improvements Also known as “New Features”
  • 10. License • Licensed under GNU General Public License version 2: – Any piece of code cannot be integrated into proprietary applications and appliances. – There is an alternative license to do so. • Free software and 100% Open Source: – You may redistribute and/or modify it under the terms of GPL version 2. – Will always be available as an Open Source project to the community. • Recruiting new coders, hackers and developers to keep the project and add new substantial improvements.
  • 11. Classless Inter-Domain Routing (CIDR) • CIDR specifies an IP address range using a combination of an IP address and its associated network mask: – 192.168.1.13/24 – 192.168.1.13/255.255.255.0 – 172.16.0.128/15 – 172.16.0.128/255.254.0.0 – 10.200.200.1/10 – 10.200.200.1/255.192.0.0 • CIDR for destination address is supported: – Allows to simulate both Distributed Denial-of-Service and Distributed Reflection Denial-of-Service in a controlled environment. – CIDR network mask supported: • Minimum is “/8” (255.0.0.0). • Maximum is“/30” (255.255.255.252).
  • 12. Classless Inter-Domain Routing (CIDR) unsigned int hostid = 0, counter = 0, rand_addr = 0; in_addr_t netmask = INADDR_ANY, all_bits_on = 0xffffffff, __1st_addr = INADDR_ANY, addresses[16777214] = INADDR_ANY; struct iphdr *ip; netmask = ~(all_bits_on >> bits); hostid = (unsigned int) (pow(2, (32 - bits)) - 2); __1st_addr = (ntohl(address) & netmask) + 1; [...] for(counter = 0 ; counter < hostid ; counter++) addresses[counter] = htonl(__1st_addr++); [...] rand_daddr = (unsigned int) ((float)(hostid) * rand() / (RAND_MAX + 1.0)); ip->daddr = addresses[rand_daddr]; [...]
  • 13. Classless Inter-Domain Routing (CIDR) 192.168.1.13 /24 192.168.1.13 /255.255.255.0 0xffffffff 11111111.11111111.11111111.11111111 0x000000ff 00000000.00000000.00000000.11111111 0xffffff00 11111111.11111111.11111111.00000000 0xc0a8010d 11000000.10101000.00000001.00001101 & 0xffffff00 11111111.11111111.11111111.00000000 0xc0a80100 11000000.10101000.00000001.00000000 NETWORK HOST (2(32-24))-2 = (28)-2 = 256-2 = 254
  • 14. Multi-protocol sequential injection • Version 2.45 (as of November 2010): – Support for four protocols: ICMP, IGMPv1, TCP and UDP. – Sends all of them sequentially, i.e., almost on the same time. • Version 5.3 (as of today): – Support for the previous four protocols: ICMP, IGMPv11, TCP1 and UDP. – Eleven (11) new protocols: IGMPv31, EGP2, RIPv1, RIPv2, DCCP1, RSVP1, GRE3, IPSec (AH/ESP), EIGRP1 and OSPF1. – Sends all of them sequentially, i.e., almost on the same time. 1 This protocol can be improved to cover additional advanced options. 2 This protocol demands more development efforts to cover advanced options. 3 Very first tool able to encapsulate the protocols within GRE packets.
  • 15. Multi-protocol sequential injection socket_t fd; int flags, n = 1, len, * nptr = &n; fd_set wfds; [...] if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) exit(EXIT_FAILURE); if(setsockopt(fd, IPPROTO_IP, IP_HDRINCL, nptr, sizeof(n)) < 0) exit(EXIT_FAILURE); [...]
  • 16. Multi-protocol sequential injection struct t50{ int proto; void(*raw)(int, struct options); }; [...] while(flood || threshold--){ [...] if(protocol != IPPROTO_T50){ [...] }else{ for(module = 0 ; module < modules ; module++){ protocol = t50[module].proto; t50[module].raw(fd, options); } threshold -= (modules-1); protocol = IPPROTO_T50; } [...]
  • 18. Checksum optimization • The version 5.3 introduced a new technique to calculate the checksum, consequentially, a new technique to build the packet. • This technique is MEMCPY(3)-free, and allows to build the packet byte-by-byte – sometimes bit-by-bit. • This technique is more flexible, specially when playing with exotic protocol options – sometimes uses GOTO. For example: – EIGRP IP Internal Routes TLV destination address. – EIGRP IP External Routes TLV destination address. – OSPF HELLO Message with multiple NEIGHBOR addresses. – RSVP Object SCOPE Class with multiple SCOPE addresses. – Etc…
  • 19. Checksum optimization unsigned int offset = 0; unsigned char packet[packet_size], * checksum = NULL; struct eigrp_hdr * eigrp; [...] offset = sizeof(struct eigrp_hdr); checksum = (unsigned char *)eigrp + offset; *((unsigned short *)checksum) = htons(length); checksum += sizeof(unsigned short); offset += sizeof(usigned short); *((usigned int *)checksum) = htonl(auth_key_id)); checksum += sizeof(unsigned int); offset += sizeof(usigned int); [...] eigrp->check = cksum((u_int16_t *)eigrp, offset); [...]
  • 21. Checksum optimization packet_size = sizeof(ip) + sizeof(eigrp) + eigrp_hdr_len();
  • 25. packet 1st step ↓ packet 2nd step ↓ Checksum optimization
  • 26. packet 1st step ↓ packet 2nd step ↓ Checksum optimization
  • 27. packet 1st step ↓ packet 2nd step ↓ Checksum optimization
  • 28. packet 1st step ↓ packet 2nd step ↓ Checksum optimization
  • 29. packet 1st step ↓ packet 2nd step ↓ Checksum optimization
  • 30. packet 1st step ↓ packet 2nd step ↓ Checksum optimization
  • 31. packet 1st step ↓ packet 2nd step ↓ Checksum optimization
  • 32. Checksum optimization 1st step packet eigrp_hdr_len() ↓ 2nd step packet ↓
  • 33. packet 1st step ↓ packet 2nd step ↓ Checksum optimization offset
  • 34. packet 1st step ↓ packet 2nd step ↓ Checksum optimization
  • 36. RFC 1700, 1918 and 3330 improvements [...] switch(ntohl(daddr) & 0xff000000){ case 0x0a000000: /* Allowing 10/8 (RFC 1918). */ break; case 0x7f000000: /* Allowing 127/8 (RFC 1700). */ break; case 0xa9000000: /* Allowing 169.254/16 (RFC 3330). */ if(((ntohl(daddr) & 0xffff0000) != 0xa9fe00000)) return(FALSE); break; case 0xac000000: /* Allowing 172.16/12 (RFC 1918). */ if(((ntohl(daddr) & 0xffff0000) < 0xac100000) || ((ntohl(daddr) & 0xffff0000) > 0xac1f0000)) return(FALSE); break; case 0xc0000000: /* Allowing 192.168/16 (RFC 1918). */ if((ntohl(daddr) & 0xffff0000) != 0xc0a80000) return(FALSE); break; [...]
  • 38. Protocols IGMPv3 TCP • Specific headers for specific types: • Regular TCP options: – Membership Query. – Source Port and Destination Port, Sequence Number (also known as ISN), Acknowledgment – Membership Report. Number, Data Offset, Window, Urgent Pointer and TCP Flags (FIN, SYN, RST, PSH, ACK, URG, ECE and CWR). • Membership Query options: – Max Resp code. • Supported TCP Options: – Group Address. – End of List (EOL), No Operation (NOP), – Suppress Router-processing Flag. Maximum Segment Size (MSS), Windows Scale – Querier’s Robustness Variable (QRV). (WSopt), Timestamp (TSopt), T/TCP Connection Count (CC, CC.NEW and CC.ECHO), Selective – Querier’s Query Interval Code (QQIC). Acknowledgement (SACK), MD5 Signature – Number of Sources. Option and the brand new TCP-AO – Source Address(es). (Authentication Option – RFC 5925). • Membership Report options: • TCP Authentication Option (as of June 2010): – Type (HMAC-MD5). – Group Record Type. – Key ID. – Group Record Multicast Address. – Next Key ID. – Number of Sources. – Authentication Data (RANDOM). – Source Address(es).
  • 39. Protocols RIP DCCP • Regular RIPv1 and RIPv2 options: • Specific headers for specific types: – Command. – Request Packets – Address Family Identifier. – Response Packet. – Router IP Address. – Data Packets – Router Metric. – Acknowledgment Packet, Data-Ack Packet, Synchronize Packet, Sync-Ack Packet, Close Packet and Close Request Packet. • Enhanced RIPv2 options: – Reset Packet. – Routing Domain. – Route Tag. – Router Network Mask. • Regular DCCP options: – Router Next Hop. – Source Port and Destination Port. – Data Offset. – HC-Sender CCID (CCVal). • RIPv2 Cryptographic Authentication: – Checksum Coverage (CsCov). – Type (HMAC-MD5). – Extended Sequence Numbers (x). – Key ID. – Sequence Numbers (HIGH and LOW). – Cryptographic Sequence Number. – Acknowledgment Numbers (HIGH and LOW). – Authentication Data (RANDOM). – Service Code. – Reset Code.
  • 40. Exotic protocols • Regular RSVP options: – Flags and Time to Live. RSVP • Supported RSVP types: • SESSION Class options: – Path Message. – Destination address, Protocol ID, Flags and – Resv Message. Destination Port. – Path Teardown Message. – Resv Teardown Message. • RSVP_HOP Class options: – Path Error Message. – IP Next/Previous Hop (Neighbor) Address and – Resv Error Messages Logical Interface Handle. – Confirmation Message. • TIME_VALUES Class options: • Specific RSVP Objects for specific RSVP type: – Refresh Period (Interval). – SESSION Class. – RSVP_HOP Class. • ERROR_SPEC Class options: – TIME_VALUES Class. – IP Error Node Address, Flags, Error Code and – ERROR_SPEC Class. Error Value. – SCOPE Class. – STYLE Class. • SCOPE Class options: – SENDER_TEMPLATE Class. – Number of Address and IP Source Address(es). – SENDER_TSPEC Class. – ADSPEC Class. – RESV_CONFIRM Class. • Etc… Up to 37 command line interface switches.
  • 41. Exotic protocols • Regular EIGRP options: EIGRP – Opcode, Flags, Sequence Number, Acknowledgment Number, Autonomous System (AS) , Type and Length. • Supported EIGRP opcodes: – Update Message. – Request Message. • General Parameter TLV options: – Query Message. – K1, K2, K3, K4 and K5 Values and Hold Time – Reply Message. (Interval). – Hello Message. – Acknowledgment Message. • Software Version TLV options: – IOS Release Version and EIGRP Protocol • Specific EIGRP TLVs for specific EIGRP types: Release Version. – General Parameter TLV. – Software Version TLV. – Sequence TLV. • IP Internal Routes TLV and IP External Routes – Next Multicast Sequence TLV. TLV options: – IP Internal Routes TLV. – IP Next Hop Address, Delay, Bandwidth, – IP External Routes TLV. Maximum Transmission Unit (MTU), Hop Count, Load, Reliability, IP Source Address(es) and IP Address Prefix (CIDR). • EIGRP Cryptographic Authentication: – Type (HMAC-MD5). – Key-ID. • Etc… Up to 33 command line interface – Authentication Data (RANDOM). switches.
  • 42. Exotic protocols • OSPF Cryptographic Authentication: OSPF – – Type (HMAC-MD5). Key ID. • Supported OSPF type: – Cryptographic Sequence Number. – Hello Packet. – Authentication Data (RANDOM). – Database Description Packet. – Query Message Packet. • Specific LLS Data Block for specific LLS TLV: – Link State Request Packet. – Extended Options and Flags TLV. – Link State Update Packet. – Cryptographic Authentication TLV. – Link State Acknowledgment Packet. • Regular OSPF options: • Specific LSA Header for specific LSA type: – Type, Router ID, Area ID and Options (Multi- – Router LSA Header. Topology or TOS-Based, External Routing – Network LSA Header. Capability, Multicast Capable, NSSA Supported, – Summary IP Network LSA Header. LLS Data Block in Contained, Demand Circuits is – Summary ASBR Header. Supported, Opaque-LSA and Down Bit). – AS External LSA Header. (ASBR). – No-so-Stubby Area LSA Header (NSSA). • Etc… Up to 54 command line interface – Group Membership LSA Header (Multicast). switches.
  • 46. T50: an Experimental Mixed Packet Injector Dell Latitude E6400 Dell Latitude D620 • Intel® Core™ 2 Duo P8400 (2.26 GHz) • Intel® Core™ Duo T5600 (1.83 GHz) • Memory 4GB RAM • Memory 2GB RAM • Ubuntu Desktop Linux 10.04 64-bit • Microsoft Windows 7 32-bit • Intel® 82567LM Gigabit Controller • Broadcom NetXtreme 57xx Gigabit Controller • 1 Gbps Network • 1 Gbps Network • Cross-over Cable (CAT-5e) • Cross-over Cable (CAT-5e) Video http://fnstenv.blogspot.com/ Code
  • 48. Conclusions • Can be applied to any DoS: • Can be considered a cyber warfare’s – Peer-to-Peer Attacks weapon? – Application Level Attacks – Yes, it can be considered like one. – Distributed Attacks – Reflected Attacks • It is just a matter of time to things get – Level-2 Attacks worse on the Internet. – Degradation-of-Service Attacks – DNS Amplifiers Attacks • A DoS can be perpetrated overnight! • Is DoS and DDoS so 1990’s? • What else? – Please, don’t be silly, again!!! An attacker does not even need multiples zombies.
  • 49. 0111 – Questions & Answers