Friday, August 9, 2019
In a SYN flood attack, the client will flood the server with many TCP SYN packets. Each TCP SYN packet sent causes the server to respond with a TCP SYN ACK packet. The server (recipient) will continue to log (create a backlog queue) to wait for TCP ACK responses from clients sending TCP SYN packets. The backlog queue is certainly limited & is usually small in memory. When the backlog queue is full, the system will not respond to other TCP SYN packets that enter in its simple language the system looks blank / hangs. Unfortunately, the TCP SYN ACK packet that enters the backlog queue will only be removed from the backlog when there is a time out of the TCP timer indicating there are no responses from the sending client. Usually this TCP internal timer is set quite long.
The key to SYN attacks is to flood the server with TCP SYN packets using chaotic source IP addresses. As a result, because the source IP address does not exist, obviously no TCP ACK will be sent as responds from TCP SYN ACK packet responses. In this way, the server will look like a blank and does not process responses in a long time. Various computer vendors have now added defense to this SYN attack & firewall programmers also guarantee that their firewalls do not send packets with chaotic source IP addresses.
And in this SYN attack the attacker will send a large amount of SYN data and will be sent to the ports on the existing host with an invalid SYN data address or contents, so the host or computer that receives the data packet becomes confused and sending a SYN ACK data packet that has no purpose here results in losing a lot of SYN data in the router and causing the router to crash because it waits for a reply from the computer inside the SYN address the first time.
1. Open the terminal or CTRL + ALT + T
2. Then type the command sudo apt-get install hping3
3. Wait for the process to finish.
4. To find out the features of hping3, you can see the documentation by typing man hping3 or hping3 -help in the terminal.
To do a syn flood, we use hping3 that was installed before. Here's how to do syn flood.
1. Open the terminal.
2. Type the command hping3 -I wlan0 -c 1000000 --faster -S 10.10.10.1
information :
-I = shows the interface used to join the network
-c = cont packet to be sent, in a big sense the packet to be sent is 1000000 bytes
- faster = the speed of the 1000 data that will be sent in the network
-S = source or destination that will be sent this flooding packet
Prevention:
blocking null packages
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A = add rulles ..
-p = protocol
farewall takes all incoming packets that are marked with the ALL NONE flag and then Drop it. This pattern of attack uses this to try and see how we configure VPN and find out weaknesses
and next to reject the SYN attack
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
SYN-Flood-Attacks means the attack opens a new connection but with empty packages (ie. SYN, ACK,).
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
