IP spoofing and SYN flood attacks under the NET platform __net

This is the application of someone else's article:

Summary : Tags : . NET, flood attacks, IP spoofing

Abstract: A method of the IP spoof and SYN Flood Attack based on Micosoft. NET are discussed in this article. TCP SYN Flood Attack and IP spoof program using C # is designed for testing. The testing result are show, IP spoof and SYN Flood Attack is serious problem, based on Micosoft. NET.

Keywords: . NET, SYN Flood Attack, IP spoof

With the development of network technology, the original socket has become more and more widely used in the network security programming. NET as a new platform, the class library encapsulates the original socket, while supporting Ipv6, but also provides a new tool for hackers. This paper discusses Microsoft. NET platform IP spoofing and Synflood attack problem, and using C # Design to implement TCP flood attack and IP spoofing experiments, test results show that Microsoft. NET platform's IP spoofing and Synflood attack problem is serious.

One, Original Socket

Windows Sockets technology is widely used in Windows, open, support a variety of protocol network programming interface, after continuous improvement has become the de facto standard of Windows network programming. The Windows sockets specification defines and records how to use APIs to connect to Internet Protocol families to communicate with each other.

In network programming, you can use sockets for network communication without having to know the details of what happened at the bottom. But sometimes you need to generate some custom data packets or functions, and want to bypass the functionality provided by the socket. The original socket (raw socket) satisfies this requirement. The original socket can generate its own data message based on programming needs, including the header and the contents of the datagram itself. Through the original socket, you can more easily control the various protocols under Windows, and can control the transmission mechanism at the bottom of the network.

1. The creation of the original socket:

Invokes the socket function provided by the System.Net.Socket namespace, in the type parameter of the protocol, indicating the original socket

conn = new Socket (AddressFamily.InterNetwork, SOCKETTYPE.RAW,PROTOCOLTYPE.IP);

The first parameter is the Internet domain, and the second parameter describes a raw socket that provides a link to the IP layer to send and receive ICMP and IGMP information. The third parameter indicates that the protocol package to be received is an IP packet.

2. property settings for the original socket:

Invokes the SetSocketOption function provided by the System.Net.Socket namespace, setting the property connection running at the IP layer, sending and receiving packets.

Conn. SetSocketOption (socketoptionlevel.ip,socketoptionname.headerincluded,1000);

The first parameter indicates that the socket is running at the IP layer, and the second parameter specifies that the socket provides the IP header data, and the third parameters specify the Lingeroption instance containing the option value.

3. link to original socket:

Call the functions provided by the System..net.socket namespace connect, IPAddress, IPEndPoint link to the specified server.

private static IPAddress Hostadd=ipaddress.parse ("210.40.7.155");//server IP address

Datetimehost = new IPEndPoint (hostadd, 8080);//Port number

Conn. Connect (Datetimehost);

4. Send the original socket:

Call the function sent by the System..net.socket namespace, send the data data in the buffer

Conn. Send (tmpbuf,tmpbuf.length,0);

The first parameter specifies the name of the buffer to send, the second parameter provides the buffer size, and the third parameter specifies the flag to send the message.

System.Net.Sockets namespaces under the Net architecture

Under the. NET architecture, namespaces are the encapsulation of a class, and each class is encapsulated into a namespace. In the. NET Library, system is the top-level namespace, and any other namespace exists under that namespace. The base class for all objects is derived from the object class within the System namespace. The System.Net namespace provides a simplified programming interface for many of the protocols used in today's networks. The socket class is an important class of System.Net.Sockets namespaces for implementing Berkeley sockets interfaces. The socket class establishes a controlled version of the Internet Transport Service and implements the Windows socket interface for developers who need further control over network access. When a socket is established, it establishes a connection to the terminal through the Connect method. The data is sent through the Send and SendTo methods, and after it is used, the shutdown method is invoked to invalidate the socket, or close with the closing method. The Socketoption class defines socket options (all integers) for the socket class. The SocketShutdown class defines constants (all integers) that are used by the shutdown method. The ProtocolType class specifies the protocols supported by the socket class. The AddressFamily class specifies the address family that an instance of the socket class can use. The SocketType class specifies the type of socket that the socket class instance represents. They are all contained in the object child hierarchy.

Third, IP Deception and Synflood Fundamentals

1. IP Camouflage response:

Each IP packet has a source address, and an attacker can forge the source address, hiding the attacker's actions from other network behavior while hiding the identity of the attackers. This allows the system administrator of the target host to be busy looking for these spoofed IP addresses. Attackers disguise IP to avoid detection. All responses to the target system will be sent to the IP address being camouflaged. The response depends on the protocol used to disguise the packet, the target system can get the requested service, the filter between the attacker and the target host, whether the fake IP address exists, and the filtering facilities between the target host and the camouflaged IP address. For TCP packets, the response form of the disguise request is limited. When we send a spoofed TCP packet to the target host with a SYN flag set, if it is sent to a closed port on the target host, the target host will send a rst-ack packet to the spoofed IP address. If the address is present, it discards the packet; if it does not exist, the intermediate routers respond to an ICMP Destination Unreachable message, the target host ignores ICMP error messages, and Syn-ack packets until TCP times out, and the target system sends RET to the masquerade address. When we send spoofed packets to an open port on the target host, a syn-ack packet is sent to the spoofed IP address. If the address exists, the spoofed IP address responds to the unexpected syn-ack and sends back a RST packet to the target host, and if the IP address that is camouflaged does not exist, the intermediate router sends an ICMP target to the target host that cannot reach the packet, and the target ignores the ICMP error message. Resend the Syn-ack packet until TCP times out, and the target system sends a RET to the masquerade address. As can be seen from the above process, because the target host always want to complete TCP three times handshake, a simple camouflage SYN packet can generate 7 Syn-ack packets, each Syn-ack packet will also generate an ICMP host can not reach the packet. Finally, a RST packet is generated and an ICMP error packet is also generated. This allows only a disguised source packet to trigger 16 response packets, consuming a large amount of network bandwidth.

If the attacked host receives an unknown ACK packet, it sends a RST-ACK packet to the camouflaged IP address. If the camouflage IP exists, then the masked host will throw the Rst-ack packet away; If the masquerade IP address does not exist, the intermediary router sends a message to the attacked host that the ICMP destination cannot reach. If the fake ACK packet is to be sent to a non-existent attacked host, then an intermediary router to the corresponding camouflage IP address of the host to send an ICMP target unreachable message, if the disguise of the IP exists, then the host will be disguised to throw away the ICMP; if the fake IP does not exist , the intermediate router discards the ICMP error message, but does not generate its own ICMP Destination Unreachable message.

2. Basic principles of Synflood attack:

SYN Flood is one of the most popular DOS (Denial-of-service) and DDoS (distributed denial of service) attacks, a way to exploit TCP protocol flaws, send a large number of spoofed TCP connection requests, and thus allow an attacker to run out of resources (full or low on memory). TCP is based on connectivity, in order to transfer TCP data between the server and the client, you must first establish a virtual circuit, that is, a TCP connection, the process of establishing a TCP connection is: The first step, the client host to send a SYN flag with a TCP message initialization connection, SYN is synchronous (