Byzantine Reality

Searching for Byzantine failures in the world around us

Beware the Dreaded 'Reflector'

Sorry about the incredible lack of posting lately. Have had too much time drained by a particularly nasty homework assignment. Now that it’s out of the way, I will hopefully return to the ‘regular’ posting schedule until the next vicious assignment comes up. For you masochists at home who have 20 hours to spare, here’s the specs for it from my teacher’s site:

Develop a tool, called reflector, which reflects against an attacker’s host the attacker’s traffic. In order to do so, the tool is able to simulate two non-existent hosts, say victim and relayer, at both the Ethernet and IP levels. Whenever an attacker sends a packet to victim, the packet is intercepted by the reflector application and re-sent as a packet from relayer to the attacker’s host. The reply that is sent by the attacker’s host to relayer is then sent back as a packet fromvictim (in reply to the original packet) to the attacker’s host.

This is an example of how this works. Suppose that the reflector application is running on host and it is simulating:

  • victim with Ethernet address 00:0A:0B:0C:11:37 and IP address;
  • relayer with Ethernet address 00:0A:06:1B:AB:B0 and IP address

If host (the attacker) sends a TCP SYN packet to host thereflector application will capture that packet and transform it in a TCP SYN packet from to If the attacker host responds with a SYN/ACK packet (or a RST packet) to, then the reflector application will transform that packet in a packet from to This process is repeated until the application is stopped.

You will have to sniff packets using libpcap. Also, you will have to spoof all the right ARP/IP packets that are needed to make it work reliably, using libnet.

The application must be invoked with the following syntax:

# reflector --victim-ip [IP Addr] --victim-ethernet [Ethernet Addr] \
      --relayer-ip [IP Addr] --relayer-ethernet [Ethernet Addr]

A non-default interface can be specified using the –interface command-line option. For example, in the example above, the invocation will be:

# reflector --victim-ip --victim-ethernet 00:0A:0B:0C:11:37 \
      --relayer-ip --relayer-ethernet 00:0A:06:1B:AB:B0

What a doozy! The algorithm isn’t really even that complicated; just playing with the newest versions of libnet and libpcap is a real pain. But it’s all behind us now…