Learn how to use hping and Hyenae to demonstrate how a smurf attack works.
- [Voiceover] A reflection attack takes place when an attacker sends packets to an intermediate system and that system responds, not back to the attacker, but to the target. This is usually achieved by spoofing the source IP address to be that of the target. When the intermediate system receives the packet, it looks to all intents and purposes as if it was a legitimate request from the target. Reflection attacks are of technical interest but become a particularly significant threat when combined with amplification.
This enables an adversary to leave origin for infrastructures already deployed on the internet to deliver a crippling flood of data onto a target without crippling his or her own network. Before we get into looking at reflection attacks, it's useful to do a quick review of how packets move around local and wide area networks. Four addresses are used for this: the source and destination MAC address which is shown as six bytes separated by colons and the source and destination IP address shown as four numbers separated by dots.
In order to send a packet, the sending host will either use the MAC address provided or will obtain a MAC address by resolution through the ARP protocol. I can see this in action on my network if I go into a command shell and issue the request arp -a. Arp will provide the addresses of all the hosts it knows about from its tables. These tables are built up dynamically and maintained as part of the underlying network activity.
They're vulnerable to attack, and we'll cover those attacks later in the course. If the IP address is in the local network, it will be routed using the MAC address in the ethernet frame. If it isn't in the local network, the gateway MAC address will be used to route the packet to the gateway. The gateway will determine from its destination IP address which interface it's to go out on, repackage it, and send it on with its source MAC address being left at the router's interface. As we use tools to manipulate packets on the local network, some will manage the MAC addressing implicitly and some will require us to specify MAC addresses.
So keep your table of MAC addresses handy. We can run a reflection attack using a tool called Hyenae. This can be downloaded as an executable from Sourceforge on the site shown here. I've already downloaded it, so let's go run it. Hyenae comes as a command line tool or we can run it through the graphical interface. I'll use the graphical front end. The command line syntax generated by the front end is shown at the bottom of the screen. As with hping3, Hyenae can be used to do many things but right now we'll just concentrate on using it for reflection.
At the top left of the Hyenae screen, we can select the operational mode. The first drop-down box offers a choice of running the attack from the local machine, from one remote machine, or from multiple remote machines. This latter mode connects to agents on multiple remote computers to enable a distributed denial-of-service. I'll run with just the local machine. We also need to select the interface. I only have one, so I'll leave it as that.
Below that, in the network protocol panel, I'll select IP version 4 and I'll pick the ICMP echo packet type. I'll change the number of packets to a fixed packet limit of five for this demonstration. I'll leave the remaining send parameters as they are. For the ICMP echo packet type, we have to specify a source pattern, a destination pattern, and a time to live in the panel at the top right. The address pattern is shown as %-% where % is a wildcard which Hyenae will randomly generate.
The part of the address before the dash is the MAC address and the part after the dash, the IP address. It's important to be careful when setting up these fields because it's quite easy to start issuing thousands of attack packets out onto the internet. For a reflection attack, we're going to spoof the source address for the target's IP address and send the ICMP echo request to a reflector. For this, we need the target's IP address and the reflector's MAC and IP address. I'm going to use my Kali system as the target and the Ubuntu system as the reflector.
So we can see what's happening, I've also got Wireshark up and running on Kali so we can see what arrives at the targets. I'll use a source pattern of %-10.0.2.4 which indicates the target IP address and a destination of 08:00:27: 42:D6:19 - 10.0.2.9 which is my Ubuntu reflector.
I won't put a payload into the packet for this test. Okay, let's send the attack on its way. If I look at the Wireshark display in Kali, I can see five replies have been reflected by the Ubuntu system and have arrived at the target. We've successfully run a reflection attack. Of course, a malicious attack would send much more traffic and from many more sources, and if possible, with massive amplification. We'll look at reflection amplification attacks a little later in the course.
An older denial-of-service technique which used reflection was the ICMP smurf flooding attack. It uses reflection with ICMP packets, sending a large number of requests to the reflector which sends replies to the target just as we've done. However, the unique twist with smurf is that it targets the broadcast address of a subnet as its reflector, thereby amplifying the reflection by the number of responding hosts on the subnet. A similar attack, the fraggle attack, uses UDP packets targeted at port 7 which is echo and 19 chargen which will also respond.
The key to the smurf attack is therefore finding a subnet which responds to broadcast ICMP requests. This is difficult, as most systems are now locked down by default and don't respond, specifically to defeat a broadcast storm. Of course, a criminal syndicate can always stand up a reflection subnet which responds to a broadcast. But it's sufficient effort that the cybercriminals have moved on from using broadcast addresses to other forms of amplification.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. This course maps to the 09 Denial of Service domain.
- What is denial of service?
- SYN flooding
- Smurf and URL flooding
- Deauthenticating a wireless host
- Flooding HTTP
- Using BlackEnergy
- Flooding SIP
- Detecting DoS with PeerShark
- Defeating DoS attacks