Syn Attack implementation

Syn Attack

Run the netstat-n-p tcp command on the XXX. XX. XXX. XXX machine to view many syn_received connections.
It also occurs on port 80 and cannot normally access services on port 80. Other network connections and services are
Normal. Under normal circumstances, a large number of TCP connections in the syn_received state should not appear. Except the source addresses of these connections
There are certain rules. Based on experience, it can be determined that the malicious party conducts D. O. s (denial
Service) attacks.

The result of executing the netstat command is as follows:

Active connections

PROTO local address foreign address State
TCP 127.0.0.1: 1025 127.0.0.1: 1033 established
TCP 127.0.0.1: 1033 127.0.0.1: 1025 established
Tcp xxx. XX. XXX. XXX: 80 1.129.155.213: 56048 syn_received
Tcp xxx. XX. XXX. XXX: 80 8.71.96.20.: 18544 syn_received
Tcp xxx. XX. XXX. XXX: 80 17.95.29.168: 33072 syn_received
Tcp xxx. XX. XXX. XXX: 80 33.212.238.226: 29024 syn_received
Tcp xxx. XX. XXX. XXX: 80 33.250.131.21: 46336 syn_received
Tcp xxx. XX. XXX. XXX: 80 41.254.157.63: 26688 syn_received
Tcp xxx. XX. XXX. XXX: 80 44.6.143.72: 14352 syn_received
Tcp xxx. XX. XXX. XXX: 80 44.233.0.83: 2368 syn_received
Tcp xxx. XX. XXX. XXX: 80 46.172.194.36: 60560 syn_received
Tcp xxx. XX. XXX. XXX: 80 52.141.107.180: 34048 syn_received
Tcp xxx. XX. XXX. XXX: 80 58.92.189.37: 59680 syn_received
Tcp xxx. XX. XXX. XXX: 80 147.24.54.140: 42160 syn_received
Tcp xxx. XX. XXX. XXX: 80 150.41.8.196: 50864 syn_received
........................
........................
Tcp xxx. XX. XXX. XXX: 80 157.176.98.17: 49712 syn_received
Tcp xxx. XX. XXX. XXX: 80 165.217.228.103: 18416 syn_received
Tcp xxx. XX. XXX. XXX: 80 171.191.13.61: 64656 syn_received
Tcp xxx. XX. XXX. XXX: 80 174.45.224.245: 30896 syn_received
Tcp xxx. XX. XXX. XXX: 80 181.118.121.182: 23984 syn_received
Tcp xxx. XX. XXX. XXX: 80 191.3.0.46: 2864 syn_received
Tcp xxx. XX. XXX. XXX: 80 196.235.126.62: 57024 syn_received
Tcp xxx. XX. XXX. XXX: 80 208.104.144.7: 50912 syn_received
Tcp xxx. XX. XXX. XXX: 80 209.232.143.50: 57248 syn_received
Tcp xxx. XX. XXX. XXX: 80 214.14.49.76: 50496 syn_received
Tcp xxx. XX. XXX. XXX: 80 223.71.101.172: 62528 syn_received
........................
........................

Analysis of attack methods:

Analyze the results of the netstat command. We can know that this attack is based on the vulnerability of TCP. Simply put, attack
The attacker spoofs a fake IP packet and sends it to the target attacking machine, wasting TCP resources on the target machine, instead of the target machine.
Attackers cannot provide services to normal visitors.

Today, many internt services are built on TCP connections, including telnet, WWW, and email. When a machine
(We call it a client) when attempting to establish a TCP connection with a machine that provides services (we call it a server,
They must first exchange and communicate several times in order so that the TCP connection can be established.

At the beginning, the client sends a packet with the SYN mark to the server;
After receiving such a packet with a SYN mark, the server sends a packet with a SYN-ACK mark to the client for confirmation;
When the client receives a package with a SYN-ACK tag from the server, it sends an ACK tag package to the server.
After completing these steps (for example), their TCP connections are established and data can be communicated.

Client Server
SYN →
✓ SYN-ACK
Ack →

Attackers use the characteristics of such a process to establish TCP connections as an attack.

They (attackers) forge an IP packet, which contains a SYN mark and a false source IP address, and send it to the target machine.
(Attacked machine ).

When the target machine (the attacked machine) receives a counterfeit IP packet sent by the attacker, it tries to record the source in the IP packet.
The IP address sends a packet with a SYN-ACK tag to the machine with the source IP address.

Because the source IP address in the IP packet sent by the attacker is forged, the target machine (the attacked machine)
Cannot successfully send packets with SYN-ACK tags to machines with forged source IP addresses. Cause the target machine (attacked
Machine), and try to connect again.

Because the waiting of the target machine (attacked machine) needs to occupy certain resources of the system. If the connection reaches
If the system does not have more resources to respond to a new connection, the TCP connection cannot be established. In other words
And cannot provide normal services.

These resources will be released after a certain period of time. The default setting for Windows NT is
3 seconds of timeout, 5 attempts, each attempt timeout time is twice the previous time. See the following table:

Time spent (seconds) cumulative time spent (seconds)
First time, 3 failed
Attempt 1st times, failed 6 9
Attempt 2nd times, failed 12 21
Attempt 3rd Times, failure 24 45
Attempt 4th times, failure 48 93
5th attempts, 96 189 failures

From the table above, we can see that if Windows NT is set by default, such an attack will respond
Resource usage: 189 seconds. The system will automatically release the resource after 189 seconds. If the number of such connections reaches a certain level, the system
Then, you cannot provide normal services.