Date: Wed, 17 Feb 1999 03:17:26 -0300
From: Fabio Bastiglia Oliva <fboliva@SAFENETWORKS.COM>
To: BUGTRAQ@netspace.org
Subject: Pingflood attack against Windows98

rewt wrote:
>
> Try pinging the windows box with large amounts of icmp...I left 5
> screened pings, each set to 65000 size...Windows will freeze shortly
> after its loaded. You might also try to ping with -f.
>

Hey...
        I made what you suggested, and it's true... But in my case the
results were a little worse than yours...
        Windows 98 *REBOOTED* after a ping -f 65000... and wasn't need
to make several screen boxes... With only one ping -f 65000 the system
rebooted.

Best Regards
-------------------------------
Fabio Bastiglia Oliva - Director
fboliva@safenetworks.com

Safe Networks Informatica LTDA.
http://www.safenetworks.com

----------------------------------------------------------------------

Date: Thu, 18 Feb 1999 13:32:00 -0500
From: Mark A. Heilpern <heilpern@MINDSPRING.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Pingflood attack against Windows98

At 03:17 AM 2/17/99 -0300, you wrote:
>rewt wrote:
>>
>> Try pinging the windows box with large amounts of icmp...I left 5
>> screened pings, each set to 65000 size...Windows will freeze shortly
>> after its loaded. You might also try to ping with -f.
>>
>
>Hey...
>       I made what you suggested, and it's true... But in my case the
>results were a little worse than yours...
>       Windows 98 *REBOOTED* after a ping -f 65000... and wasn't need
>to make several screen boxes... With only one ping -f 65000 the system
>rebooted.

I issued "ping -f -s 65000 my-win98-address" and after a single return, win98
locked up cold. I was ssh'd from win98 to linux to issue the ping, so I might
have had more returns than timing allowed to be displayed before I locked
up.

----------------------------------------------------------------------

Date: Thu, 18 Feb 1999 21:44:24 -0300
From: Fabio Bastiglia Oliva <fboliva@SAFENETWORKS.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Pingflood attack against Windows98

Hello all,

        As I said before, forgive me, because my english is not so good!
        I'll make a "Multi-reply" in this email... It's easier ;)
        Thanks for all the replies!

------------------------------------------------------------------------
------------------------------------------------------------------------
James <pyro@pyro.za.net> wrote:
>
> This on a LAN or Internet or both?
>
>         I made this test in my LAN.

-LAN Speed: 10Mbits.
-NICs (Network Interface Card): 3Com905btx, Genius, Encore & Realtek.
-Hubs: 3Com Super Stack II.
-Windows98 Versions: 4.10.1998 (Portuguese and English versions)

------------------------------------------------------------------------
------------------------------------------------------------------------
Laurent LEVIER <llevier@argosnet.com> wrote:
>
> I tried with the French version of Windows 98.
>
> when I run ping -l 65000 -f IPaddr.
>
> ping refuses. Of course ping -f 65000 is not accepted too.
>
> Strange the ping command changes between US & FR version.
>

        Sorry, I made a mistake when sent the email to Bugtraq. The
correct command (From Linux Slackware 3.6 Kernel 2.0.36) line is:

                ping -f -s 65000 IPaddr

------------------------------------------------------------------------
------------------------------------------------------------------------
Quantum <fusion77@bellsouth.net> wrote:
>
> I just tried it & had no success at my Win98 dos prompt,
>

        Try from a linux... I got these results flooding from a
Linux Slackware 3.6 Kernel 2.0.36...

------------------------------------------------------------------------
------------------------------------------------------------------------
Tom Van Riper <tomv@dreamscape.com>
>
> yeah no kidding, the world has known a dialup connection weither it be
> windows or a unix type operating system, that a small amount of icmp
> packets will kill the connection for years, thats old stuff.
> try synfluding on ports 0-65535 for some real fun ;)

        Hehe... But a synflood just made the LAN Communication slower,
and didn't affected Windows 98 than pingflood affected!

Tom Van Riper
Dreamscape Online

------------------------------------------------------------------------

Best Regards
-------------------------------
Fabio Bastiglia Oliva - Diretor
fboliva@safenetworks.com

Safe Networks Informatica LTDA.
http://www.safenetworks.com

----------------------------------------------------------------------

Date: Fri, 19 Feb 1999 01:16:44 -0300
From: Fabio Bastiglia Oliva <fboliva@SAFENETWORKS.COM>
To: BUGTRAQ@netspace.org
Subject: Pingflood attack against Windows98 - The Test

Hello all,

         This is what is happening when I ping flood a Windows98 from a
Linux Slackware 3.6 (Kernel 2.0.36).


-Before the attack-

linux:~# ping 192.168.1.4
PING 192.168.1.4 (192.168.1.4): 56 data bytes
64 bytes from 192.168.1.4: icmp_seq=0 ttl=128 time=0.5 ms
64 bytes from 192.168.1.4: icmp_seq=1 ttl=128 time=0.5 ms

--- 192.168.1.4 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.5/0.5/0.5 ms


-The Attack-

linux:~# ping -f -s 65000 192.168.1.4
PING 192.168.1.3 (192.168.1.4): 65000 data bytes
.......................................................................
...................................................../*After lots of
little dots... Windows98 Rebooted*/...<CTRL+C>

--- 192.168.1.4 ping statistics ---
11440 packets transmitted, 228 packets received, 98% packet loss
round-trip min/avg/max = 0.6/32.0/64.2 ms


-After the attack-

linux:~# ping 192.168.1.4
PING 192.168.1.4 (192.168.1.4): 56 data bytes

--- 192.168.1.4 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

---

        It's what's happening here... Anyone of you got the same
results?

Best Regards
--------------------------------
Fabio Bastiglia Oliva - Director
fboliva@safenetworks.com

Safe Networks Informatica LTDA.
http://www.safenetworks.com

----------------------------------------------------------------------

Date: Thu, 11 Feb 1999 03:43:10 +0100
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@netspace.org
Subject: Re: Pingflood attack against Windows98

Sorry, but I'm afraid this thread is a little bit out-of-date. Pingflood
against Windows 95/98 is a well-known shool DoS. ping -s -f or ping -s -l
over local networks seems to cause Windows to lock-on permanently (or
temporarily, depending on weather), or even reboot. Is there anything more
to talk about?:>

_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[lunete.nfi.pl SYSADM] [http://dione.ids.pl/lcamtuf] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]

----------------------------------------------------------------------

Date: Mon, 22 Feb 1999 04:04:44 -0300
From: Fabio Bastiglia Oliva <fboliva@SAFENETWORKS.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Pingflood attack against Windows98

Michal Zalewski wrote:
>
> Sorry, but I'm afraid this thread is a little bit out-of-date.
> Pingflood against Windows 95/98 is a well-known shool DoS. ping -s -f
> or ping -s -l over local networks seems to cause Windows to lock-on
> permanently (or temporarily, depending on weather), or even reboot.
> Is there anything more to talk about?:>
>

Dear Mr. Zalewski,

        Since Microsoft's announced that Windows 95 DoSs were corrected
in Windows 98, and we found this bug AGAIN... I think that this thread
IS NOT out-of-date.

Best Regards
--------------------------------
Fabio Bastiglia Oliva - Director
fboliva@safenetworks.com

Safe Networks Informatica LTDA.
http://www.safenetworks.com