Public ICQ Servers Based DDoS
Source: SecuriTeam
L33tdawg: Not sure if you guys have read about this yet, but I certainly haven't... Word to Jefiwi for sending me the hook up.
It is possible to use public ICQ servers for traffic multiplication with coefficient of 100 and even greater. This means what attacker with a channel bandwidth of 38 Kbps ideally can fill an uplink of 3.8 Mbps.
As it is known ICQ uses the UDP protocol as its transport layer. Data area of each client-side UDP packet starts with the following header, as of ICQ protocol version 5:
Length Content Index Description
2 bytes 05 00 VERSION Protocol version
4 bytes 00 00 00 00 ZERO Always zero
4 bytes xx xx xx xx UIN Your UIN
4 bytes xx xx xx xx SESSION_ID Used to prevent spoofing
2 bytes xx xx COMMAND Command
2 bytes xx xx SEQ_NUM1 Sequence inits with a random number
2 bytes xx xx SEQ_NUM2 Inits with 1 (!)
4 bytes xx xx xx xx CHECKCODE
variable xx ... PARAMETERS Parameters