windows98.pingflood.txt

`Date: Wed, 17 Feb 1999 03:17:26 -0300  
From: Fabio Bastiglia Oliva <[email protected]>  
To: [email protected]  
Subject: Pingflood attack against Windows98  
  
rewt wrote:  
>  
> Try pinging the windows box with large amounts of icmp...I left 5  
> screened pings, each set to 65000 size...Windows will freeze shortly  
> after its loaded. You might also try to ping with -f.  
>  
  
Hey...  
I made what you suggested, and it's true... But in my case the  
results were a little worse than yours...  
Windows 98 *REBOOTED* after a ping -f 65000... and wasn't need  
to make several screen boxes... With only one ping -f 65000 the system  
rebooted.  
  
Best Regards  
-------------------------------  
Fabio Bastiglia Oliva - Director  
[email protected]  
  
Safe Networks Informatica LTDA.  
http://www.safenetworks.com  
  
----------------------------------------------------------------------  
  
Date: Thu, 18 Feb 1999 13:32:00 -0500  
From: Mark A. Heilpern <[email protected]>  
To: [email protected]  
Subject: Re: Pingflood attack against Windows98  
  
At 03:17 AM 2/17/99 -0300, you wrote:  
>rewt wrote:  
>>  
>> Try pinging the windows box with large amounts of icmp...I left 5  
>> screened pings, each set to 65000 size...Windows will freeze shortly  
>> after its loaded. You might also try to ping with -f.  
>>  
>  
>Hey...  
> I made what you suggested, and it's true... But in my case the  
>results were a little worse than yours...  
> Windows 98 *REBOOTED* after a ping -f 65000... and wasn't need  
>to make several screen boxes... With only one ping -f 65000 the system  
>rebooted.  
  
I issued "ping -f -s 65000 my-win98-address" and after a single return, win98  
locked up cold. I was ssh'd from win98 to linux to issue the ping, so I might  
have had more returns than timing allowed to be displayed before I locked  
up.  
  
----------------------------------------------------------------------  
  
Date: Thu, 18 Feb 1999 21:44:24 -0300  
From: Fabio Bastiglia Oliva <[email protected]>  
To: [email protected]  
Subject: Re: Pingflood attack against Windows98  
  
Hello all,  
  
As I said before, forgive me, because my english is not so good!  
I'll make a "Multi-reply" in this email... It's easier ;)  
Thanks for all the replies!  
  
------------------------------------------------------------------------  
------------------------------------------------------------------------  
James <[email protected]> wrote:  
>  
> This on a LAN or Internet or both?  
>  
> I made this test in my LAN.  
  
-LAN Speed: 10Mbits.  
-NICs (Network Interface Card): 3Com905btx, Genius, Encore & Realtek.  
-Hubs: 3Com Super Stack II.  
-Windows98 Versions: 4.10.1998 (Portuguese and English versions)  
  
------------------------------------------------------------------------  
------------------------------------------------------------------------  
Laurent LEVIER <[email protected]> wrote:  
>  
> I tried with the French version of Windows 98.  
>  
> when I run ping -l 65000 -f IPaddr.  
>  
> ping refuses. Of course ping -f 65000 is not accepted too.  
>  
> Strange the ping command changes between US & FR version.  
>  
  
Sorry, I made a mistake when sent the email to Bugtraq. The  
correct command (From Linux Slackware 3.6 Kernel 2.0.36) line is:  
  
ping -f -s 65000 IPaddr  
  
------------------------------------------------------------------------  
------------------------------------------------------------------------  
Quantum <[email protected]> wrote:  
>  
> I just tried it & had no success at my Win98 dos prompt,  
>  
  
Try from a linux... I got these results flooding from a  
Linux Slackware 3.6 Kernel 2.0.36...  
  
------------------------------------------------------------------------  
------------------------------------------------------------------------  
Tom Van Riper <[email protected]>  
>  
> yeah no kidding, the world has known a dialup connection weither it be  
> windows or a unix type operating system, that a small amount of icmp  
> packets will kill the connection for years, thats old stuff.  
> try synfluding on ports 0-65535 for some real fun ;)  
  
Hehe... But a synflood just made the LAN Communication slower,  
and didn't affected Windows 98 than pingflood affected!  
  
Tom Van Riper  
Dreamscape Online  
  
------------------------------------------------------------------------  
  
Best Regards  
-------------------------------  
Fabio Bastiglia Oliva - Diretor  
[email protected]  
  
Safe Networks Informatica LTDA.  
http://www.safenetworks.com  
  
----------------------------------------------------------------------  
  
Date: Fri, 19 Feb 1999 01:16:44 -0300  
From: Fabio Bastiglia Oliva <[email protected]>  
To: [email protected]  
Subject: Pingflood attack against Windows98 - The Test  
  
Hello all,  
  
This is what is happening when I ping flood a Windows98 from a  
Linux Slackware 3.6 (Kernel 2.0.36).  
  
  
-Before the attack-  
  
linux:~# ping 192.168.1.4  
PING 192.168.1.4 (192.168.1.4): 56 data bytes  
64 bytes from 192.168.1.4: icmp_seq=0 ttl=128 time=0.5 ms  
64 bytes from 192.168.1.4: icmp_seq=1 ttl=128 time=0.5 ms  
  
--- 192.168.1.4 ping statistics ---  
2 packets transmitted, 2 packets received, 0% packet loss  
round-trip min/avg/max = 0.5/0.5/0.5 ms  
  
  
-The Attack-  
  
linux:~# ping -f -s 65000 192.168.1.4  
PING 192.168.1.3 (192.168.1.4): 65000 data bytes  
.......................................................................  
...................................................../*After lots of  
little dots... Windows98 Rebooted*/...<CTRL+C>  
  
--- 192.168.1.4 ping statistics ---  
11440 packets transmitted, 228 packets received, 98% packet loss  
round-trip min/avg/max = 0.6/32.0/64.2 ms  
  
  
-After the attack-  
  
linux:~# ping 192.168.1.4  
PING 192.168.1.4 (192.168.1.4): 56 data bytes  
  
--- 192.168.1.4 ping statistics ---  
4 packets transmitted, 0 packets received, 100% packet loss  
  
---  
  
It's what's happening here... Anyone of you got the same  
results?  
  
Best Regards  
--------------------------------  
Fabio Bastiglia Oliva - Director  
[email protected]  
  
Safe Networks Informatica LTDA.  
http://www.safenetworks.com  
  
----------------------------------------------------------------------  
  
Date: Thu, 11 Feb 1999 03:43:10 +0100  
From: Michal Zalewski <[email protected]>  
To: [email protected]  
Subject: Re: Pingflood attack against Windows98  
  
Sorry, but I'm afraid this thread is a little bit out-of-date. Pingflood  
against Windows 95/98 is a well-known shool DoS. ping -s -f or ping -s -l  
over local networks seems to cause Windows to lock-on permanently (or  
temporarily, depending on weather), or even reboot. Is there anything more  
to talk about?:>  
  
_______________________________________________________________________  
Michal Zalewski [[email protected]] [ENSI / marchew] [dione.ids.pl SYSADM]  
[lunete.nfi.pl SYSADM] [http://dione.ids.pl/lcamtuf] bash$ :(){ :|:&};:  
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]  
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]  
  
----------------------------------------------------------------------  
  
Date: Mon, 22 Feb 1999 04:04:44 -0300  
From: Fabio Bastiglia Oliva <[email protected]>  
To: [email protected]  
Subject: Re: Pingflood attack against Windows98  
  
Michal Zalewski wrote:  
>  
> Sorry, but I'm afraid this thread is a little bit out-of-date.  
> Pingflood against Windows 95/98 is a well-known shool DoS. ping -s -f  
> or ping -s -l over local networks seems to cause Windows to lock-on  
> permanently (or temporarily, depending on weather), or even reboot.  
> Is there anything more to talk about?:>  
>  
  
Dear Mr. Zalewski,  
  
Since Microsoft's announced that Windows 95 DoSs were corrected  
in Windows 98, and we found this bug AGAIN... I think that this thread  
IS NOT out-of-date.  
  
Best Regards  
--------------------------------  
Fabio Bastiglia Oliva - Director  
[email protected]  
  
Safe Networks Informatica LTDA.  
http://www.safenetworks.com  
  
`