NukeNabber FAQ

NukeNabber was originally written as a response to the original Winnuke/OOBNuke in an attempt to catch people trying to crash my system. That attack only used port 139 tcp. It was soon discovered that other ports were vulnerable to similar attacks. Ports 138, 137 and 129 were quickly added. Then Port 53 tcp and 19 udp. Without knowing where this might end, I made sure plenty of ports could be added in the future.

I only intended NukeNabber to be used by myself until, in the course of testing it, other people wanted to use it. Almost all attacks at this time were conducted via IRC and were not spoofed. I decided that it would be useful to have NukeNabber communicate with my mIRC client to help manage the channels I opped in. Over the course of a year the program became more polished and useful but there are still many things I would like to add.

So why the name "NukeNabber"? Alliteration man! It's the *alliteration*! (said in best Tick voice)

I was born. My family got a computer for the family one xmas. My geek-genes awoke and transformed me into what I am today.

DSI stands for Dynamic Solutions International and was formed as a sole-proprietorship in 1985.

NukeNabber listens on specified ports and for ICMP destination unreachable. Upon seeing a connection, it will wait ~10 seconds and read up to 1k of data. Any more than 1k is simply thrown away and the port is closed. Optionally, a sound is played, a message is sent to your irc client and various reports are generated in an attempt to gather information about the attacker.

There are some special conditions such as with ICMP dest_unreach. ICMP does not use ports and so it cannot be "shut down". NukeNabber simply ignores the incoming data for a specified amount of time to avoid being flooded.

NukeNabber does not act as a firewall. It will not block potentially damaging packets before they can crash your system. That is why you must be patched for NukeNabber to work.

The next planned version of NukeNabber will be able to block ports.

Without getting into silly hacker symantics, a nuke is a packet of a data constructed with the intention of sending it to a another computer and crashing it.

Denial of Service or DoS is attacking someone's system or systems with the intent of shutting them down. All nukes fall into this category as well as simple packet flooding. In the United States, Denial of Service is a crime under Title 18.

Winnuke is a packet constructed with an URGENT flag set and pointing to Out of Band data. This combination will crash unpatched Windows95 and WindowsNT machines.

SSPING sends a series of highly fragmented, oversized ICMP data packets over the connection. The system cannot re-assemble them fast enough and the computer freezes.

This attack sends overlapping IP fragments that the system cannot re-assemble. The system will freeze.

This attack tricks your computer into trying to negotiate a connection with itself. This negotiation loops and the system freezes.

This attack abuses a feature of the ICMP protocol and tries to convince your computer that is has lost its' connection. The computer then disconnects from the port specified.

Install the patches for your OS. Consider using a firewall or router.

If the ISP of the attacker is visible in the log, email to abuse@isp and/or root@isp.

for example:

[08/19/1998 18:50:38.109 GMT-0600] Connection: blah.quebectel.com (142.169.170.0) on port 139 (tcp).

You would send email to [email protected] and/or [email protected]

Sometimes the IP address is all you get. This is where the traceroute comes in handy from the Intelligence Reports.

[08/12/1998 22:28:37.734 GMT-0600] Connection: 200.224.242.48 on port 1080 (tcp).

[08/12/1998 22:28:37.890 GMT-0600]Report Generated for 200.224.242.48
TraceRoute:
1 grill (192.168.0.10)
2 tnt5.dfw5.da.uu.net (206.115.151.133)
3 e0-4.ar1.dfw5.da.uu.net (207.76.48.50)
4 351.ATM2-0-0.XR1.DFW4.Alter.Net (137.39.82.102)
5 146.188.240.62 (146.188.240.62)
6 108.ATM8-0-0.TR1.ATL1.ALTER.NET (146.188.136.25)
7 100.ATM9-0-0.XR1.ATL1.ALTER.NET (146.188.232.93)
8 195.ATM12-0-0.BR1.ATL1.ALTER.NET (146.188.232.49)
9 137.39.23.6 (137.39.23.6)
9 200.224.242.48 (200.224.242.48)
TraceRoute Complete.

In this case, you should send a log of the attack to [email protected] and/or [email protected].

Sometimes you can use the WHOIS report to get the exact person you should email your information to.

Comteck LLC (COMTECK-DOM)
210 N. Main
sweetser, IN 46987
us

Domain Name: COMTECK.COM

Administrative Contact:
Mark, Schultz (SM1002) [email protected]
(765)384-7873 (FAX) (765)384-7002
Technical Contact, Zone Contact:
Claussen, Kent (KC242) [email protected]
765-538-3738 (FAX) 765-538-3739
Billing Contact:
Mark, Schultz (SM1002) [email protected]
(765)384-7873 (FAX) (765)384-7002

Record last updated on 16-Apr-97.
Record created on 06-Dec-95.
Database last updated on 10-Aug-98 03:35:16 EDT.

Domain servers in listed order:

TONE.COMTECK.COM 209.45.185.2
PULSE.COMTECK.COM 209.45.185.5

With this information you can email your report directly to [email protected] and [email protected]

Rarely, you will get a valid finger response, the finger will give a list of users on the system at the time of the attack. This is invaluable information but most ISPs block it. When you do get it, include it with your report.

Sign your report with your real name and phone number. You want the ISP to take you seriously and they are less likely to do that if you don't use your real name and give them a way to contact you personally.