THE

SPRAWL

  •  
  •  
  •  
  • SYN Flood

    A SYN Flood is a Denial of Service attack which exploits a weakness in how a vulnerable TCP implementation handles new connections. A vulnerable implementation allocates host resources (Transmission Control Blocks) for every connection request. Due to limited memory resources of a host machine, only a certain number of connections can be established at any given time. The SYN Flood attack takes advantage of this limitation by exhausting all memory allocated for new connections. It does this by means of sending a large number of SYN packets to begin the three-way-handshake, but never replying to server's SYN/ACK replies. The server is left with many half-opened connections which will expire after a certain timeout only to be renewed by a fresh flood of SYN packets. In the meantime, all of the legitimate requests will be dropped since server's potential to accept new connections is exhausted.

    Packet Trace

    Below is the packet trace of a typical SYN Attack. The target is a Windows XP machine with open NetBIOS port:

    0.000000 192.168.1.66 -> 192.168.1.250 TCP 24345 > netbios-ssn [SYN] Seq=0 Len=0
    0.000694 192.168.1.66 -> 192.168.1.250 TCP 15869 > netbios-ssn [SYN] Seq=0 Len=0
    0.001019 192.168.1.66 -> 192.168.1.250 TCP 32851 > netbios-ssn [SYN] Seq=0 Len=0
    0.001337 192.168.1.66 -> 192.168.1.250 TCP 39007 > netbios-ssn [SYN] Seq=0 Len=0
    ...
    

    Defenses

    A defensive mechanism was suggested by Phil Karn and later developed by Daniel J. Bernstein and Eric Schenk which limited the number of resources allocated to new connection by means of storing only minimal session data until a valid ACK packet was received. The validity of an ACK packet was by verifying a specially crafted ACK sequence number that was previously supplied in the SYN/ACK packet. The crafted sequence number aka SYN Cookie contains all of the necessary information to restore a handshake and establish a legitimate connection. As a result half-open connections caused by the SYN Flood attack can no longer lead to resource exhaustion.

    LAND Attack

    LAND Attack is a Denial of Service attack which utilises a specially crafted TCP SYN packet with both source/destination hosts and ports set to the target IP address and an open port respectively. The name comes from the original exploit filename - land.c.

    The attack was first documented in 1997 bugraq post by m3lt. While the original post targeted vulnerable [[Windows 95]] machines, similar problems were later discovered in a wide range of operating systems and networked devices. A LAND Attack experienced a come back in 2005, when Dejan Levaja discovered that Windows XP SP2 and Windows 2003 machines were once again vulnerable. This attack was further expanded by Synister Syntax with a Remote LAND variation targeting networked devices such as home user's routers.

    Packet Trace

    0.077410 192.168.1.104 -> 192.168.1.104 TCP ssh > ssh [SYN] Seq=272426932 Len=0
    0.100969 192.168.1.104 -> 192.168.1.104 TCP ssh > ssh [SYN] Seq=1054004629 Len=0
    0.120631 192.168.1.104 -> 192.168.1.104 TCP ssh > ssh [SYN] Seq=1017551070 Len=0
    0.136919 192.168.1.104 -> 192.168.1.104 TCP ssh > ssh [SYN] Seq=482747538 Len=0
    0.152913 192.168.1.104 -> 192.168.1.104 TCP ssh > ssh [SYN] Seq=1818041971 Len=0
    0.168945 192.168.1.104 -> 192.168.1.104 TCP ssh > ssh [SYN] Seq=1020576642 Len=0
    ...
    

    External Links

    • [Common Denial of Service Attacks by David Slee]http://www.infosecwriters.com/text_resources/pdf/DSlee_Denial_of_Service_Attacks.pdf)

    Published on April 1st, 2009 by iphelix

    sprawlsimilar

    hping

    hping is a TCP/IP packet forging tool with embedded Tcl scripting functionality. Developed by antirez in 1998, it is now in its 3rd release. The tool runs on all major operatings systems including Linux, *BSD, and Windows. Read more.

    port scanning

    Discovering open ports on a networked system is an important reconnaissance step used to enumerate potentially vulnerable services. In this article you will learn a number of techniques used to perform fast and reliable port scans while bypassing many trivial defenses. Read more.

    scapy

    Scapy is a packet forging tool using Python as its domain specific language. It was developed by Philippe Biondi in 2003. Read more.

    host discovery

    In this article you will learn several active and stealth techniques used to discover even highly cloaked hosts. Read more.


    sprawlcomments

    All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.

    π
    ///\oo/\\\