By scanning a range of network addresses with UDP 'A' packets,
I can detect OS-9 Macintoshes that can be used as "byte amplifiers"
for a Denial of Service attack like the one shown by the second
scan below. They come from the factory ready to send 37 bytes
at a spoofed address for every stimulating byte sent to them.
My scanning computer is 24.88.48.47.
I have detected three such scans in the last three weeks on my
home Macintosh, which is connected to a cable modem (from Italy,
Arabian Gulf via S. Africa, and Duke U.). When I saw 1500 ICMP
packets being stimulated, I thought there must be a "Trojan
Horse" program on my Mac.
It turns out that the OS-9 Mac is ready to be misused without a virus or other malicious software being present. The results below were obtained with special software that I wrote , but it's unlikely that computer "crackers" have not already written and distributed similar programs.
Time Sender
Recipient
Type of Packet
Misc
(3
Mac's at GT) (me)
00:45:50.790420 P 199.77.158.47 > 24.88.48.47: icmp: 199.77.158.47
udp port 31789 unreachable
00:45:51.772778 P 24.88.48.47.31790 > 199.77.158.48.31789:
udp 1 (ttl 63, id 27531)
00:45:51.802149 P 199.77.158.48 > 24.88.48.47: icmp: 199.77.158.48
udp port 31789 unreachable
00:45:52.782823 P 24.88.48.47.31790 > 199.77.158.49.31789:
udp 1 (ttl 63, id 27531)
00:45:53.792840 P 24.88.48.47.31790 > 199.77.158.50.31789:
udp 1 (ttl 63, id 27531)
00:45:53.819352 P 199.77.158.50 > 24.88.48.47: icmp: 199.77.158.50
udp port 31789 unreachable
00:45:54.802909 P 24.88.48.47.31790 > 199.77.158.51.31789:
udp 1 (ttl 63, id 27531)
00:45:54.828635 P 199.77.158.51 > 24.88.48.47: icmp: 199.77.158.51
udp port 31789 unreachable
00:45:55.813003 P 24.88.48.47.31790 > 199.77.158.52.31789:
udp 1 (ttl 63, id 27531)
00:45:56.822929 P 24.88.48.47.31790 > 199.77.158.53.31789:
udp 1 (ttl 63, id 27531)
00:45:56.851804 P 199.77.158.53 > 24.88.48.47: icmp: 199.77.158.53
udp port 31789 unreachable
00:45:57.832980 P 24.88.48.47.31790 > 199.77.158.54.31789:
udp 1 (ttl 63, id 27531)
00:45:58.842973 P 24.88.48.47.31790 > 199.77.158.55.31789:
udp 1 (ttl 63, id 27531)
00:45:58.873786 P 199.77.158.55 > 24.88.48.47: icmp: 199.77.158.55
udp port 31789 unreachable
00:45:59.853126 P 24.88.48.47.31790 > 199.77.158.56.31789:
udp 1 (ttl 63, id 27531)
00:46:00.863043 P 24.88.48.47.31790 > 199.77.158.57.31789:
udp 1 (ttl 63, id 27531)
00:46:01.873072 P 24.88.48.47.31790 > 199.77.158.58.31789:
udp 1 (ttl 63, id 27531)
00:46:02.883120 P 24.88.48.47.31790 > 199.77.158.59.31789:
udp 1 (ttl 63, id 27531)
00:46:03.893158 P 24.88.48.47.31790 > 199.77.158.60.31789:
udp 1 (ttl 63, id 27531)
00:46:04.903230 P 24.88.48.47.31790 > 199.77.158.61.31789:
udp 1 (ttl 63, id 27531)
00:46:04.930164 P 199.77.158.61 > 24.88.48.47: icmp: 199.77.158.61
udp port 31789 unreachable
00:46:04.935095 P 199.77.158.61 > 24.88.48.47:
icmp: echo request (DF) (ttl 245, id 44097) [1500-bytes]
00:46:04.936418 P 24.88.48.47 > 199.77.158.61: icmp: echo reply
(DF) (ttl 255, id 7745)
00:46:05.913205 P 24.88.48.47.31790 > 199.77.158.62.31789:
udp 1 (ttl 63, id 27531)
00:46:06.923213 P 24.88.48.47.31790 > 199.77.158.63.31789:
udp 1 (ttl 63, id 27531)
00:46:07.953243 P 24.88.48.47.31790 > 199.77.158.64.31789:
udp 1 (ttl 63, id 27531)
00:46:08.963286 P 24.88.48.47.31790 > 199.77.158.65.31789:
udp 1 (ttl 63, id 27531)
00:46:09.973325 P 24.88.48.47.31790 > 199.77.158.66.31789:
udp 1 (ttl 63, id 27531)
00:46:10.983325 P 24.88.48.47.31790 > 199.77.158.67.31789:
udp 1 (ttl 63, id 27531)
Note that 199.77.158.61 responded to my UDP 'A' scan with a 1500-byte
echo request
(not shown by this type of listing, but known to be 1500-bytes
long). I added this network
address to my list of slaves for the DoS run (against myself)
shown below.
================
Three OS-9 Macintoshes bombarding me at over 1 Million bits/sec.
There is no special software on them. They are being stimulated
with 44-byte packets that cause them to respond with 1500-byte
packets (byte amplification). The target's address would be forged
(spoofed) as the sending address on the sending packets.
Time Sender
Recipient
Type of Packet
Misc
(3
Mac's at GT) (me)
02:18:34.494630 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 35845)
02:18:34.500450 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 49546)
02:18:34.532644 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 1106)
02:18:34.540698 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 54629)
02:18:34.548738 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 18002)
02:18:34.608252 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 4133)
02:18:34.616501 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 46098)
02:18:34.624309 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 16101)
02:18:34.693549 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 48890)
02:18:34.701882 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 32321)
02:18:34.709732 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 50241)
02:18:34.741710 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 33857)
02:18:34.750094 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 41994)
02:18:34.758079 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 58954)
02:18:34.802294 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 47169)
02:18:34.858428 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 6673)
02:18:34.866542 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 60689)
02:18:34.873465 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 56154)
02:18:34.905965 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 402)
02:18:34.916535 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 29073)
02:18:34.925576 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 30353)
02:18:35.001334 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 60682)
02:18:35.017596 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 39090)
02:18:35.074054 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 12773)
02:18:35.082315 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 54074)
02:18:35.089763 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 21057)
02:18:35.121299 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 51722)
02:18:35.129189 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 1602)
02:18:35.137960 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 30481)
02:18:35.182278 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 59530)
02:18:35.190334 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 6149)
02:18:35.197462 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 36741)
02:18:35.254590 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 19962)
02:18:35.262738 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 47685)
02:18:35.269981 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 43562)
02:18:35.286936 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 49297)
02:18:35.297231 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 27713)
02:18:35.304249 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 58154)
02:18:35.312994 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 32321)
02:18:35.320987 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 59946)
02:18:35.328283 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 12458)
02:18:35.336026 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 53253)
02:18:35.344300 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 59793)
02:18:35.352315 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 44402)
02:18:35.385237 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 357)
02:18:35.393403 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 3973)
02:18:35.400629 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 47633)
02:18:35.458469 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 7370)
02:18:35.466512 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 42474)
02:18:35.475056 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 42949)
02:18:35.508134 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 57970)
02:18:35.515876 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 40402)
02:18:35.524096 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 22474)
02:18:35.581630 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 20466)
02:18:35.590388 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 61457)
02:18:35.598371 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 58769)
02:18:35.629836 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 3365)
02:18:35.638626 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 30114)
02:18:35.645700 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 1089)
02:18:35.677989 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 10538)
02:18:35.686028 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 19994)
02:18:35.695058 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 52810)
02:18:35.738375 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 37957)
02:18:35.746710 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 42561)
02:18:35.754663 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 36865)
02:18:35.762586 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 32242)
02:18:35.770450 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 14818)
02:18:35.827738 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 5482)
02:18:35.835645 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 58213)
02:18:35.843857 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 56706)
02:18:35.852034 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 50098)
02:18:35.868145 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 57409)
02:18:35.875896 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 38930)
02:18:35.884012 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 60010)
02:18:35.915986 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 17297)
02:18:35.923507 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 50938)
02:18:35.932371 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 51778)
02:18:35.956305 P 199.77.144.78 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 54757)
02:18:35.964668 P 199.77.146.103 > 24.88.48.47: icmp: echo
request (DF) (ttl 245, id 38322)
02:18:35.972531 P 199.77.158.61 > 24.88.48.47: icmp: echo request
(DF) (ttl 245, id 10053)
Here I have three slaves (199.77.146.20, 199.77.146.103, 199.77.158.61)
being stimulated to send 30 1500-byte packets per second
to address 24.88.48.47 (my cable modem). The combined bit rate
is 3 x 30/s x 1500 bytes x 8 b/B = 1,080,000 bits/s. I could have
increased the rate several times, but not much more would have
interfered with the network.
One stimulating computer on a cable modem or ADSL connection could
drive over thirty slaves and direct a stream of ICMP (Internet
Control Message Protocol) packet at over 100 Mbps at a given target.
The last 14 packets arrived in 0.14 seconds, a rate of 1.2 Mbps.
John Copeland
Dec. 21, 1999