**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
SYN flooding is a type of DoS attack. Denial of Service attacks are attacks used to compromise the availability of a given network, service, or system by overwhelming it with a massive volume of traffic or requests. It makes the target unable to respond to the legitimate users; hence, the attack effectively shuts the target system down. DoS attacks target many layers of the network infrastructure.
Understanding SYN flooding requires knowledge about two networking concepts: flooding attacks and TCP connect scans. SYN flood is one of the most sophisticated DoS attacks, exploiting the TCP three-way handshake process.
The TCP three-way handshake process helps establish the connection between a client and server or any two devices. It is a prerequisite for sharing data in a reliable, connection-oriented way. Before transmitting information, the connection is set by TCP in three packets:
Client to server SYN segment (SYN Flag = 1): The client requests the server to open a connection towards it. The service is from a random port on the client to a well-known port on the server. This packet contains information from the client to the server about the client’s initial sequence number, which is the first byte in the transmission.
Server to client SYN-ACK (SYN=1, ACK=1): The server replies with SYN=1 and ACK=1 to indicate that the connection request has been accepted. The server informs the client about its initial sequence number. The client uses this number to acknowledge the server’s identity and inform the client about its buffer size.
Client to server ACK (ACK=1): In the 3rd segment, the client acknowledges the SYN-ACK and informs the server about the size of the buffer it allocates for the connection.
After the connection has been established, data transmission initiates between the two ends.
SYN flooding targets TCP three-way handshake. In this case, the attacker bombards the target system with a flood of TCP SYN packets; the source IP address will usually be spoofed. On the receipt of every SYN packet, the target machine sends a SYN-ACK packet, but the final ACK is not sent to complete the handshake. It creates several half-open connections, wasting the target’s resources and rendering it incapable of handling legitimate traffic. SYN flooding is, hence, a powerful tool to disrupt network services, and it exploits this trust in the TCP protocol.
Knowing the concepts of general flooding techniques and the inner workings of TCP connect scans can give a lot of insight into how SYN flooding works and why it can be such a potent method to overwhelm target systems. These base concepts provide a critical context for elaboration on the details of SYN flooding, its impact on network resources, and the methods used to detect and mitigate such attacks.
Generating TCP SYN Flood Attacks: –
To generate TCP SYN flood attacks, we can use the hping3 command available in Kali Linux.
First, install it using the command: –
$ sudo apt-get install hping3
We need to scan for our target system details including its IP address. One way of doing this is by performing an ARP scan:
$ arp-scan ip_range
We are using Windows Server as our target system.
Now we check for open ports on it by conducting an Nmap scan: –
$ nmap target_IPaddress
We can see that port 5357 is open. We can exploit this to conduct an SYN flood attack.
Before we perform the SYN flooding, let us check the current CPU utilization of the Windows Server. Check it by opening Task Manager -> Performance -> CPU
We can see that 29% of CPU is being utilized.
Now, to conduct SYN flooding, use the hping3 command. The general syntax is:
$ hping3 -c <number of packets to send> -d <packet size> -S -w <TCP Window Size> -p <destination port number> –flood –rand-source <attacked address>
We will send 1,500 packets (-c 5000) at a size of 128 bytes (-d 128) each, with the SYN flag (-S) enabled, and the TCP window size is 128 bytes (-w 128). To direct the attack to the victim’s web server, we specify port 80 (-p 80) and use the –flood flag to send packets at an aggressive packet rate. The –rand-source flag generates random IP addresses to hide the real source, avoid detection, and prevent the victim’s SYN-ACK reply packets from reaching back to the attacker.
Now, in our target Windows Server operating system, we can see that the CPU utilization has drastically increased to 100%. Even memory utilization has spiked.
The resources of the target system are consumed in acknowledging the continuous flood of SYN packets, thereby preventing it from responding to legitimate requests.
We have performed a DoS (Denial of Service) attack using TCP SYN flooding.
Detecting TCP SYN Attacks: –
TCP attack detection can be achieved using several techniques. First, a network analysis is performed using tools such as Wireshark. It is important to note the difference between SYN scanning and SYN attack. The former refers to a technique used to probe various TCP ports to get an open port response, while the latter sends a target device huge volumes of TCP SYN packets to overwhelm it.
Standard configurations of firewalls usually block TCP scans. In contrast, countermeasures against TCP SYN attacks depend on intrusion detection systems rules, activated only in the case of a suspected attack.
To identify SYN attacks, security experts could use packet analyzers, such as Wireshark, or high-end firewalls/security devices that support deep packet inspection.
Below is the capture of the TCP SYN flooding we conducted previously on Windows Server:
In the captured Wireshark screenshot above, there is a lineup of SYN packets all destined for the same destination IP address but with the source address randomized and having a destination port of 5357. A significant indicator of an aggressive attack would be the time difference between these packets—a matter of tens of microseconds. We can also see that these are SYN packets in the info field.
With this, we have successfully performed and detected TCP SYN flood attacks.
