For the server-side “boots” craig is describing what’s called an amplification attack. It works by amplifying the traffic load while only having to send a small amount of traffic to make it happen. It’s also called the snowball effect. These server-side d/c packets are basically a Yahoo!-specific SMURF attack using Yahoo!’s own protocol to abuse their server’s traffic routing rules. I know of a couple ways to stop them from working but there’s only a couple tricks you can use to stop one of these attacks if it uses chat invitations or PMs *deliverable in all scenarios regardless of whether you’re using Chat 2 or YMSG, cloaked on YMSG or not*. If the packets can be delivered to you it’s a potential avenue for flooding to boot you.

Cloaking in YMSG aids in preventing most of these attacks but can’t cover all of them. To combat against strong PM bombing even if the PM bomb is using an amplified packet structure to force lots of traffic on you (booters call these “looped” packets) something can be done about it. What you can do is log your ID into YMSG/HTTP and then use a chat client to log that same ID into Chat 2 to join a room. You’ll be able to chat regularly on the Chat 2 connection, use voice etc. while all of the chat invites that you receive as well as all of the PMs you’ll receive will all be sent to your YMSG/HTTP connection. It’s impossible to flood off a user that’s signed into YMSG/HTTP even if they’re on dial-up due to the nature of how HTTP operates and how the servers deal with the excess traffic that’s buffered or built up. The excess is simply discarded while using this protocol. There are other “tricks” you can use but this is the cleanest and would truly make anyone regardless of their connection “unbootable” as far as the flooding goes unless that flood is generated inside the chat room (on the Chat 2 connection). Cookie exploits and other disconnect exploitation methods that don’t involve flooding you would still be susceptible to.

After getting fed up with booters knocking me offline, i finally got the packet sniffers out, flexed my programming skills and decided to go in search of the truth..

Misconceptions

A chat client is more bootable than another one… (yes only if the client is very very badly written)

You need some kind of secret packet to send to boot a person in yahoo.. false.

Truths.

A Chat client with a good connection will help prevent most booters, yes, this is correct (with the exception of a couple of yahoo server explots..)

If you know nothing about booters and a little about yahoo, have a look at the article i wrote here

Ymlite

if not i’ll try and explain that (which is 300 odd lines) into something a bit more technical now…

Yahoo Messenger
Yahoo Chat…

Yahoo messenger can get into yahoo chat, but in reality, it’s a seperate service…

Yahoo Messenger’s server has a Buffer, this buffer is actually 128k not the 512 the first tests indicated in the article above.

Why does a booter work?

When the attacker sends multiple packets to you, what you don’t get from the server gets stored in a buffer, in comes a chat packet, the client grabs it, in comes 5 chat packets, you grab the first 3 packets, 2 are left behind on yahoo’s server, you then grab the 2 packets and then the buffer is back to empty.

Right, this time the booter sends 1k’s worth in 1 packet of PM (instant messaging packets) but instead of sending the 1 packet, the booter builds up 10 pm/im packets

(800bytes) + 800 + 800
impacket+impacket+impact

Then you send it to yahoo 10 loops packets of PMs @ 1k each = 80k in 1 load to yahoo then the booter sends it again, 160k.

Now if you can send 128k’s worth of data, pm packets, chat packets, anything you like to the other user BEFORE the user can get the data out, yahoo will simply d/c them over 128k why?

Most Probably because the server is instructed to d/c idle users or users
who are no longer online, what’s the point of Keeping someone in yahoo chat if they are not getting the data people are sending them, after 40 minutes of a client sending data yahoo goes, we’ve buffered 128k, the user aint there, kick him…

another theory is that, yahoo messenger would crash if it got anything more than 128k lol

So why do some clients take longer than others to boot them…

The faster the routines, better the coding of the chat client, those few seconds really build up.

Take YahEh a VB written client, to display “Hey there :)” in YahEh might take 80ms to perform…

the one in Say Y!mlite, typically can do it much faster say around 20 – 30ms

So Y!mLite can process the data, display the packet, get the next packet, it’s going to get the packet 50ms faster, ok not much for 1 packet but let’s say 100 packets = 5000ms = 5 seconds slower over a period of 100 packets…

This means the client gets less packets from yahoo, and in turn the booter sends more data than you can get (128k) and you get disconnected from the server.

Right so Yaheh might bet booted in 30 seconds, y!mlite because it can get that extra data from yahoo fast enough, it could last say 40 before it got booted…

but, most clients have CPU’s good enough now so the chat client makes very little difference, most of the ability of being boot proof is put on to the bandwith…

56k User can download in theory at 8ks
but in reality it’s about 4 – 5k

So here’s a 1mbit connection, 1mbit / 8 = 128k a second upload.
Here’s a 56k connection 5k/s download

by the time the booter puts up 128k of data, the 56k user was only able to get 6k, which leaves 122k of data buffered at yahoo…

in less than 2 seconds, the 1mbit connection booter would have taken out a 56k user.

2 56k users trying to boot each other.

1 56k user manages to upload at 6k/s
2 56k user manages to download at 5k/s

The booter will work.

Booter is sending 6k/s 1k more than what the other 56k user can download… in 128 seconds, the booter would be able to fill up the buffer..

2 minutes it would take to boot them….

if you’re on a 2mbit connection and someone tries to boot you on a 3mbit connection, you’ll be able to send out at 256k/ but the 3mbit user will be able to download 384k and you’ll never be able to fill the buffer fast enough to boot them…

But there’s one exception to the rule

A yahoo server exploit, send 128 packets at 1k/s and providing the messenger client does not get the data from the buffer, it will be booted in exactly 128 seconds, now this server exploit

Certain Packets (not specifying what for obvious reasons)

Allow you to send the ID of the person you wish to send the packet to, eg, will you come to my conference, in the packet you can put down 10 id’s and yahoo will send out 1 packet to each of them 10 users, 1 packet from me, 10 packets out of yahoo….

Well these booters simply put in 1 person to invite, 10 times, and the packet gets magnified 10 times, so if you’re on a 56k, you essentially have the bandwith of 56k * 10 = 560kbit connection, loop the data as i pointed out up there, and guess what happens, you get the equiv of a 1/2mb booter from a slow connection, yahoo sends so much data to the victim so quickly it fills up the buffer (128k) and you get booted from yahoo messenger…

What can be done?

Since i’m the one who writes y!mlite, i’ve done a few tricks to make it faster, for example if you’re under attack, you want to get the data out fast, so as a result, y!mlite only processes the header of each packet, and if it’s an IM packet / invite, whatever, it simply ignores it and gets the next packet, it will only process Chat Data since it’s highly unlikely someone would try to boot you from chat.

As a result, when a client like yahelite spends 40 – 50ms processing the content of ?WERWE?R>$?@#$ it could waste valuable time, in effect y!mlite becomes unlaggable no matter how many bots are booting you..

(P.S if you have the bandwith, you could boot a person with 1 ID just sending them lots of pm messages faster than they can get out to fill 128k)

So in this type of boot, y!mlite might survive the d/c simply because it’s faster at getting the data while yahelite processed it and got lagged and as a result it gets booted.

Y!mLite has Booter Detection, it talks to tell you it’s happening, it measures the data throughput and calculates if it’s an attack, Y!mLite’s also in the proccess of getting an anti booter type routine in, the secret is to use 2 id’s… but it’s a new experimenental thing and it will quite effectively stop booters…

Y!mlite

p.s i’ve become quite an expert in this field, any questions feel free to ask, but if you’re an absolute noob i suggest reading the article above, it explains everything in detail and precisly what point you get booted…