Graphics Programs Reference
In-Depth Information
0x451
SYN Flooding
A SYN flood tries to exhaust states in the TCP/IP stack. Since TCP maintains
“reliable” connections, each connection needs to be tracked somewhere. The
TCP/IP stack in the kernel handles this, but it has a finite table that can only
track so many incoming connections. A SYN flood uses spoofing to take
advantage of this limitation.
The attacker floods the victim's system with many SYN packets, using a
spoofed nonexistent source address. Since a SYN packet is used to initiate a
TCP connection, the victim's machine will send a SYN/ACK packet to the
spoofed address in response and wait for the expected ACK response. Each
of these waiting, half-open connections goes into a backlog queue that has
limited space. Since the spoofed source addresses don't actually exist, the
ACK responses needed to remove these entries from the queue and complete
the connections never come. Instead, each half-open connection must time
out, which takes a relatively long time.
As long as the attacker continues to flood the victim's system with spoofed
SYN packets, the victim's backlog queue will remain full, making it nearly
impossible for real SYN packets to get to the system and initiate valid TCP/IP
connections.
Using the Nemesis and arpspoof source code as reference, you should be
able to write a program that performs this attack. The example program below
uses libnet functions pulled from the source code and socket functions previ-
ously explained. The Nemesis source code uses the function
libnet_get_prand()
to obtain pseudo-random numbers for various IP fields. The function
libnet_seed_prand()
is used to seed the randomizer. These functions are
similarly used below.
synflood.c
#include <libnet.h>
#define FLOOD_DELAY 5000 // Delay between packet injects by 5000 ms.
/* Returns an IP in x.x.x.x notation */
char *print_ip(u_long *ip_addr_ptr) {
return inet_ntoa( *((struct in_addr *)ip_addr_ptr) );
}
int main(int argc, char *argv[]) {
u_long dest_ip;
u_short dest_port;
u_char errbuf[LIBNET_ERRBUF_SIZE], *packet;
int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H;
if(argc < 3)
{
printf("Usage:\n%s\t <target host> <target port>\n", argv[0]);
exit(1);
}
