SYN flooding was one of the early forms of denial of service. In this video, learn about how the TCP SYN packet can be used to flood a local network and how to use the hping3 utility to do this.
- [Instructor] The most common technique used in denial of service attacks is the TCP SYN flood. We can test resilience to flooding by using the hping3 tool which comes in Kali Linux. This is very simple to use. The TCP handshake takes a three-phase connection of SYN, SYN-ACK, and ACK packets. When the SYN packet arrives, a buffer is allocated to provide state information for the session. The TCP SYN flood happens when this three-packet handshake doesn't complete properly. I'll open a terminal window and take a look at hping3. As we can see, hping3 is a multi-purpose network packet tool with a wide variety of uses, and it's extremely useful for testing and supporting systems. The count option, specified by -C or --count, determines how many packets will be sent. If this is omitted, packets will be sent until the tool is terminated with Ctrl+C. An important option for testing denial of service is the interval, specified by -I, which determines how fast the packets are sent to the target. The faster the packets are sent, the sooner resources become consumed. However, too fast, and there's a risk of countermeasures being deployed. Hping3 has six modes, the default being TCP mode. It can also operate using the ICMP and UDP protocols and running scan and listen mode. Each mode has its own set of options that determine exactly how it operates. I won't go into all the options in detail, but if you want to get more familiar with the tool, you may find it useful to download the hping3 cheat sheet from the Packet Storm site. Okay, let's get into hping3. I'll do a straightforward ICMP ping to my Windows 10 system on 192.168.1.8 using hping3. I'll use the -1 option for an ICMP packet. I'll run this fast and do five packets. Okay, we can see the responses. The UDP TCP set of options are for a wide range of packets to be generated. To run a TCP SYN attack, I'll issue the command hping3 using the default TCP mode with the flag -S to indicate that a SYN packet is to be generated, - p 445 to specify the destination port is 445, and I'll use the --flood option to specify a high omission rate to enable flooding. Each packet in this attack will look like a standard connection request to the target and it will send back a SYN-ACK packet. However, hping3 does not send back an ACK packet, and so it doesn't complete the handshake. I'm running the performance monitor in my Windows 10 system and we can see it's idling along. Let's run the TCP SYN attack. Here we go. Back in Windows, we can see the CPU utilization spiked up and is now continuously running round about 45%. This is a significant workload. Let's run that again, now with the data size increased to 1200 bytes. We can see that the additional data size has increased the CPU utilization. I'm using a standard computer network setup, but can certainly stress the targets. Using a powerful omitter or multiple omitters and a good source bandwidth, the TCP SYN attack will result in serious response problems for the target system. We can see that the additional data size has increased the CPU utilization, which is spiking up to about 60%. I'm using a standard computer and network setup, but can certainly stress the target. Using a powerful omitter or multiple omitters and a good source bandwidth, the TCP SYN attack will result in serious response problems for the target system. I'll stop this attack now. Hping3 is a useful tool to test the target system's resilience to the TCP SYN attack. A variation of the TCP SYN attack is the local area network denial attack, which uses the TCP SYN attack on an open port, with the source and destination IP addresses and ports the same. When it was first discovered, this caused a vulnerable target to lock up continuously trying to make connections to itself. I'll send this attack to my Windows 10 target. In this case, when the flood starts, Windows recognizes it as a land attack and handles it without any significant impact. Many operating systems addressed this issue some time ago, but it occasionally reappears as it did when Windows 2003 was released.
- What is denial of service?
- TCP SYN, Smurf, and UDP flooding
- Deauthenticating a wireless host
- Flooding HTTP
- Using BlackEnergy
- Flooding a SIP server
- Detecting P2P attacks with PeerShark
- Defeating DoS attacks