Describe the creation of open connections to overload system resources and disrupt or deny access for legitimate requests.
- [Voiceover] The most common technique used in denial-of-service attacks is the TCP SYN flood. We can test resilience to flooding by using the hping3 tool which comes in Kali Linux. This is very simple to use. The TCP Handshake takes a three phase connection of SYN, SYN-ACK, and ACK packets. When the SYN packet arrives a buffer is allocated to provide state information for the session. A TCP SYN flood happens when this three packet handshake doesn't complete properly.
I'll open a terminal window and take a look at hping3. As we can see hping3 is a multipurpose network packet tool with a wide variety of uses, and it's extremely useful for testing and supporting systems. The count option, specified by minus C or minus minus count, determines how many packets will be sent. If this is omitted, packets will be sent until the tool is terminated with control C. An important option for testing denial-of-service is the interval, specified by minus I, which determines how fast the packets are sent to the target.
The faster the packets are sent, the sooner the resources become consumed. However, too fast, and there's a risk of counter measures being deployed. Hping3 has six modes, the default being TCP mode. It can also operate using the ICMP and UDP protocols and running scan and listen mode. Each mode has its own set of options that determine exactly how it operates. I won't go into all the options in detail, but if you want to get more familiar with the tool, you may find it useful to download the hping3 cheat sheet from the Packet Storm site.
Okay, let's get into hping3. I'll do a straightforward ICMP ping to my Windows 10 system on 192.168.1.8 using hping3. I'll use the minus one option for an ICMP packet. I'll run this fast and do five packets. (keyboard clicking) Okay, we can see the responses. The UDP TCP set of options offer a wide range of packets to be generated. To run a TCP SYN attack, I'll issue the command hping3 using the default TCP mode with the flag minus S to indicate that a SYN packet is to be generated, minus P445 to specify the destination port is 445 and I'll use the minus minus flood option to specify a high emission rate to enable flooding.
Each packet in this attack will look like a standard connection request to the target and it will send back a SYN-ACK packet. However, hping3 does not send back an ACK packet, and so it doesn't complete the handshake. I'm running the performance monitor in my Windows 10 system, and we can see it's idling along. Okay, let's run the TCP SYN attack. Here we go. (keyboard clicking) Back in Windows, we can see the CP utilization spiked up and is now continuously running roundabout 45%.
This is a significant workload. Let's run that again, now with the data size increased to 1200 bites. (keyboard clicking) We can see that the additional data size has increased the CPU utilization. I'm using a standard computer and network setup but can certainly stress the target. Using a powerful emitter or multiple emitters, and a good source bandwidth, the TCP SYN attack will result in serious response problems for the target system.
We can see that the additional data size has increased the CPU utilization, which is spiking up to about 60%. I'm using a standard computer and network setup, but can certainly stress the target. Using a powerful emitter or multiple emitters, and a good source bandwidth, the TCP SYN attacks will result in serious response problems for the target system. I'll stop this attack now. Hping3 is a useful tool to test the target system's resilience to the TCP SYN attack.
A variation of the TCP SYN attack is the local area network denial attack, which uses the TCP SYN attack on an open port with the source and destination IP addresses and ports the same. When he was first discovered, this caused a vulnerable target to lock up continuously trying to make connections to itself. I'll send this attack to my Windows 10 target. (keyboard clicking) In this case when the flood starts, Windows recognizes it as a land attack and handles it without any significant impact.
Many operating systems addressed this issue some time ago, but it occasionally reappears as it did when Windows 2003 was released.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. This course maps to the 09 Denial of Service domain.
- What is denial of service?
- SYN flooding
- Smurf and URL flooding
- Deauthenticating a wireless host
- Flooding HTTP
- Using BlackEnergy
- Flooding SIP
- Detecting DoS with PeerShark
- Defeating DoS attacks