Sunday, December 16, 2012

Synflooding using hping and with payload

A very common L4 attack method, used against any tcp-services;  "is a  syn-flood attack". With this attack , we try to exhaust  tcp sessions and the resources of a destination server. Hping, t50, and mausezahn are all great tools for crafting this type of attack. In this scenario, I'm using  hping to attack a virtual hosts @ ip_address of tcp/80.

The switch for this type of attack is simple;

hping -a "insertmyspoofaddress"  -S -d 500 -p 80  -i em0

The above tells hping to conduct a synflood, but also to set the data and size at 500bytes, and  use a spoof'd address ( -a ) against the target host  and port 80.

I could  have also use random spoof'd address ,which is more typical for this type of attack;

hping  --rand-source -S -d 500 -p 80 -i em0
( yes I hate windows :) )

NOTE: You will need super-user or root on the atatcking host, due to the permissions  with opening ports greater than 1024 or you will get the following errors,

$ hping -a -S -d 500 -p 80 -i em0
[open_sockraw] socket(): Permission denied
[main] can't open

Okay simple, now why would one do this?

Easily to exhaust services on a host and the fact that most firewall will allow this type of traffic thru unchallenged. Due to  this above gap,  and with no mitigation or alerting device, you are susceptible to a simple L4 attacks. The data payload that attached to this attack, could also flood the target destination and cause issues within the attacked network monitoring systems.

This type of attack,  is not as effective when a CDN or SLB is in place. Since these systems would distributed traffic amongst all available servers  at that edge-server ( CDN) or all active  & up real-servers mapped on the SLB, thus reducing the impact to just one host ip_address.

To mitigate this attack you have a choice of options but the most easiest is to apply a filter that says, if any SYN packet or even SYN-ACK arrives with a payload to drop the datagram. You can do this on most firewall or better yet on a IDS/IPS system.


! kfelix snort rules LOCATION SEATTLE

var INTERNALNET01 217.x.x.0/24

var HTTP 80
var HTTPS 443
var MAIL 25 
var POP  110 

alert tcp $EXTERNAL_NET any -> $INTERNALNET01 any ( flags: A; dsize: 1<>1460; msg:"SYN with data";)
alert tcp $EXTERNAL_NET any -> $INTERNALNET01 any ( flags: SA; dsize: 1<>1460; msg:"SYN ACK with data";)  

So know we have some type of protection from SYN floods-atatcks, and  within SYN or SYN_ACK floods and if any data payload is present. I would use a snort.rule checker like porcus, to validate the rule before submitting and loading. But the above will give you a basic ideal on how to alert on packets of this nature.

You could  have done the same for any FIN, and FIN-ACK datagrams.

Now to detect, you can use  wireshark or tshark to monitor;

tshark  -n -i eth1  'tcp[13]==2' -R 'tcp.len >0'

I hope you found this post helpful, &  happy  packet forging

Ken Felix
Freelance Network Security Engineer
kfelix at hyperfeed dot com

No comments:

Post a Comment