Lab 2 - Stopping SYN Flood Attacks

In the TCP handshake mechanism, there must be an agreement between each party for
a connection to be established. If the TCP client does not exist or is a non-requesting client
with a spoofed IP, such an agreement is not possible.
In a TCP SYN, or simply SYN flood attack, the attacking clients lead the server to
believe that they are asking for legitimate connections through a series of TCP requests with
TCP flags set to SYN, coming from spoofed IP addresses. To handle each of these SYN requests,
the target server opens threads and allocates corresponding buffers to prepare for a
connection. It then tries to send a SYN-ACK reply back to the requesting clients to acknowledge
their connection requests, but because the clients IP addresses are spoofed or the clients are
unable to respond, an acknowledgement (ACK packet) is never sent back to the server. The
server is still forced to maintain its open threads and buffers for each one of the original
connection requests, attempting to resend its SYN-ACK request acknowledgement packets
multiple times before resorting to a request time-out. Because server resources are limited and
a SYN flood often involves a massive number of connection requests, a server is unable to time-
out its open requests before even more new requests arrive, and this causes a denial-of-service
condition.

Lab Objectives
The student will be able to understand how to:
• Perform a DoS attack
• Send SYN flood packets continuously
• Send SYN flood packets simultaneously with Spoof IP Address
• Stop SYN Flood attack by using SYN Cookie

Lab Environment
To perform the lab, you need the following virtual machines:
• Kali Linux virtual machine
• Ubuntu virtual machine
• Wireshark tool

Overview of the Lab

Hping3 is used to perform the SYN flood attack to Ubuntu victim virtual machine from
Kali attacker virtual machine. The hping is a command-line oriented TCP/IP packet assembler/
analyzer. The interface is inspired to the ping (8) unix command, but hping isn’t only able to
send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a
traceroute mode, the ability to send files between a covered channel, and many other features.
 This lab will be performed with or without using SYN cookie on victim machine to
observe how SYN cookie works when the machine is targeting from SYN flood attack. To
perform the SYN flood attack, the SSH port will be used in this lab. To analyze and detect the
SYN flood attack, Wireshark is a network protocol analyzer. Wireshark has a rich feature set
such as deep inspection of hundreds of protocols, live capture and offline analysis, runs on
multi-platform, captured network data can be browsed via a GUI, or via the TTY-mode TShark
utility, rich VoIP analysis and so on.

Lab Analysis
Before performing the SYN flood attack, login on to the Ubuntu virtual machine to install the
SSH and ensure to install the Wireshark tool for capturing the network traffics.
1. Open the terminal application of the Ubuntu machine and type the sudo apt install ssh
command in terminal. Enter the password when prompted and enter Y to continue with
the installation.

2. If you want to start OpenSSH server, just run the following command: sudo systemctl
enable --now ssh. To check the status of SSH, just run the sudo systemctl status ssh
command in terminal. The installation will be completed if the status is active.

3. Then switch to Kali virtual machine to scan the SSH port of Ubuntu virtual machine is
opened or not. Type nmap -p 22 [IP Address of target machine] in terminal of Kali
machine.
4. Install the Wireshark for capturing and analyzing the network traffic of target machine.
Type the sudo apt install wireshark in terminal and enter the password for Ubuntu.
While installing, you will be asked whether to allow non-superusers to capture packets.
Select Yes to allow and No to restrict non-superusers to capture packets and finish the
installation.

5. Then open the Wireshark and check it can start to capture the packets. If you cannot
start to capture the packets, run sudo dpkg-reconfigure wireshark-common
command in terminal and select YES when the question is prompted.
6. Type sudo chmod +x /usr/bin/dumpcap command in terminal, then you should now
be able to run it without root and you will be able to capture.
7. Click on the Activities on the top left corner of machine, type wireshark and open it.
8. If you see the interface of your machine, it can start by clicking the start button.
9. Before performing the SYN flood attack, you need to check SYN cookie is enable or
disable in victim’s machine. You will observe the behavior of SYN flood attack by
enabling and disabling the SYN cookie feature.
To check the status of SYN cookie, type cat /proc/sys/net/ipv4/tcp_syncookies
command in terminal. If the output is 1, it is active and if the output is 0, it is inactive.

10. You will observe the attack behavior by enabling the SYN cookies in victim machine.
Therefore, you need to edit the status of SYN cookie by typing sudo nano
/etc/sysctl.conf in terminal if it is disabled and set the keyword net.ipv4.tcp_syncookies
to 1 like net.ipv4.tcp_syncookies = 1. To save the modification of file, type Ctrl+X
and then press Y.

11. Reload sysctl.conf file by typing sudo sysctl -p. If the output is 1, it is activated now.
Then launch and start the Wireshark to capture the packets.

12. Switch the attacker’s machine and launch the hping3 utility from Application menu.
To launch the hping3, go and click to upper top left corner of Kali logo, then click on
01- Information Gathering → Live Host Identification → hping3.

13. Type the sudo hping3 -S [IP address of victim] -a [IP address of attacker or spoof
IP] -p 22 --flood command to start the SYN flood attack to victim’s machine. It initiates
the SYN flood attack on victim’s machine. The Hping3 floods the Ubuntu virtual
machine by sending the packets simultaneously and overloading the resources.
Note that: The duration of attack is no more than two minute because sometimes it can
cause the exhausted not only on virtual machine (victim) but also on host machine.
14. Go to the Ubuntu machine and analyze the network traffics behavior of SYN flood
attack. The sample network traffics are described as below.

15. Repeat the step 13 with the attacker’s spoof IP address and observe the behavior of
network traffics.
16. Document and report the analysis results the difference between attacker real IP address
result and spoof IP address result.
References

[1] “DDoS Handbook: The Ultimate Guide to Everything You Need to Know About DDoS
Attacks”, Radware, 2013.
[2] “Hping3 Package Description”, https://tools.kali.org/information-gathering/hping3.