This command causes the agent to initiate either an ICMP Echo (ping) flood
or a UDP flood.
Format:
A handler sends the following command to initiate either an ICMP Echo (ping)
flood or a UDP flood (xxx = don't care):
2
xxx
xxx
5
icmp_udp
updDestPort
destination ip
destination ip
source ip
source ip
nameFlag
name...
padding for a minimum packet size
of 201 bytes including the IP header
NOTE: the shaded bytes must be encoded prior to transmission to the agent.
Parameters:
icmp_udp: boolean
Flag to indicate whether to do an ICMP Echo flood (false) or a UDP flood
(true)
udpDestPort:
For UDP floods, the port to which the packets should be sent (0-255).
destination IP:
The IP address of the host that is to be flooded. This field is in network
byte order. If nameFlag is non-zero, this field will be ignored.
See description of nameFlag and name parameters below.
source IP:
The source IP to be spoofed. This field is in network byte order.
No randomizing is available for this field in this particular attack.
nameFlag: boolean
If non-zero, ignore the destination IP and instead do a gethostbyname lookup
on the hostname specified in the name parameter. If a name lookup
fails, the flood process will sleep for 10 minutes before attempting another
lookup. The flood process will loop indefinitely until a successful
lookup occurs at which point the process will commence flooding the named
host.
name: char*
Useful only if nameFlag is non-zero. This parameter contains the
null terminated host name of the host to be targeted by this flood.
Action:
The agent sends no response to this message. It simply initiates
an ICMP echo flood or a UDP flood as specified by the icmp_udp flag. The
flood continues until a handler instructs the agent to terminate it.
All packets exhibit the following properties
ip tos is uninitialized by the agent
randomized ip ttl in the range 120 - 249
randomized ip id is fixed at 0x0455
ip flags = 0
ip offset = 0x1FFE (This causes all packets to appear as fragments at the
target! Not sure if this was intentional or not, but the target will not
respond to pings as the echo request is never completed)
All ICMP packets have the following additional properties
type = 8 = Echo
code = 0
echo identifier constant for all packets
echo sequence number constant for all packets
All UDP packets will exhibit the following additional properties
randomized source port in the range 0 - 254
constant destination port as defined by the handler. range 0-255
UDP length fixed at 9
A single UDP data byte always 0x61
An invalid checksum because the author a) fails to run the checksum over
the udp pseudo header, and b) because the author changes the packet contents
immediately after computing the checksum.