ipx storm

Type securityvulns
Reporter Securityvulns
Modified 2000-06-03T00:00:00



The IPX protocol has samething called IPX ping. Sending a packet to socket 0x456 to anything supporting ipx causes a response to be sent back. If you send a packet with source and destination addresses set to the ethernet broadcast address and source and destination socket set to 0x456 everything supporting ipx sends a reply to the broadcast address (and after that they start talking to each other). The storm ends when all ipx stacks die off (it can last a few minutes on a small network up to probably an half hour on a large network). You can also set the source and destination networks to have a broadcast storm between them (probably a killer on large corporate WANs :) - but remember to set the destination address to the router of the destination network.

This is really an old school DoS (kind of like sending udp packets with the source=destination=ip broadcast address and setting the ports to echo or chargen), only applied to ipx, so it should have been fixed by now.

I've attached some code i used to test this under linux (it can only spoof 802.2 and 802.3 packets, add other types if you wish). It's best to set all addresses to broadcast and ipx networks to 0 (local ipx network) for starters and fire off tcpdump to see the fun begin.

I don't know about the platforms affected - windows 9x seems to be vulnerable, nt doesn't, probably dos clients running netx or vlm should be affected as well (not tested). If you find another vulnerable platform i would like to know.

Please use the attached program at your own risk, and don't hold me or my employer (Andra Sp. z o.o.) liable to any damages.

Jacek Lipkowski

ps. I know nothing about ipx over ip in the new netware, so someone please check if this can be used this way?

ps2. the program is badly written -- i'm aware of that :)

Andra Network Integrator ul. Wynalazek 6 02-677 Warsaw Poland mailto: office@andra.com.pl