ipx storm

Hello,

The IPX protocol has samething called IPX ping. Sending a packet to
socket 0x456 to anything supporting ipx causes a response to be sent back.
If you send a packet with source and destination addresses set to the
ethernet broadcast address and source and destination socket set to 0x456
everything supporting ipx sends a reply to the broadcast address (and
after that they start talking to each other). The storm ends when all ipx
stacks die off (it can last a few minutes on a small network up to
probably an half hour on a large network). You can also set the source and
destination networks to have a broadcast storm between them (probably a
killer on large corporate WANs :) - but remember to set the destination
address to the router of the destination network.

This is really an old school DoS (kind of like sending udp packets with
the source=destination=ip broadcast address and setting the ports to echo
or chargen), only applied to ipx, so it should have been fixed by now.

I've attached some code i used to test this under linux (it can only spoof
802.2 and 802.3 packets, add other types if you wish). It's best to set
all addresses to broadcast and ipx networks to 0 (local ipx network) for
starters and fire off tcpdump to see the fun begin.

I don't know about the platforms affected - windows 9x seems to be
vulnerable, nt doesn't, probably dos clients running netx or vlm should be
affected as well (not tested). If you find another vulnerable platform
i would like to know.

Please use the attached program at your own risk, and don't hold me or my
employer (Andra Sp. z o.o.) liable to any damages.

Jacek Lipkowski

ps. I know nothing about ipx over ip in the new netware, so someone please
check if this can be used this way?

ps2. the program is badly written – i'm aware of that :)

Andra Network Integrator
ul. Wynalazek 6
02-677 Warsaw
Poland
mailto: [email protected]