SYN Flood attack

[Mike Santos Farias]

1 - how can I configure a host to receive multiple ips at runtime ?

2 - how can I send a packet that I created to host1 host2 through ( OnOff or BulkSend ) application ?

3 - How do I change a TCP header Flags ?

My idea to make the attack is as follows:

Two host on a CSMA network , an attacker and a victim . The attacker is configured with a onoff application and the victim is configured with a SinkPacket application , to receive the requested TCP connections by the attacker .

In an attempt to make the SYN Flood attack , put the two host inside a loop increments the port number of the socket of the victim . The door striker is incremented automatically in NS 3 .

This generated the following result : the first two ports ( 1 and 2 ) accept connections and are receiving packets . Next, the two connections are reset and starts trying to connect the following ports which are denied .

My idea to enhance this code is as follows :

Create packets with random source address and destination address of the victim inside a loop , so that no connection is completed.

I do not have much experience in NS 3 . Any help will be appreciated .

[Tommaso Pecorella]

Hi,

just a suggestion: double check if you did really understand how SynFlood attack works.

Anyway, there are some problems with your approach. the main being how to detect the effect of a SynFlood attack.

SynFlood doesn't try to open all the possible address/ports in a host (that would be 2^64 connections). It tries to fill the incoming TCP connections buffer memory. As a result, trying to mimic a SynFlood in ns-3 will simply.... hang your simulation (and your PC too).

Cheers,

T.

[Mike Santos Farias]

I thought about using multiple IPs just to simulate a real attack. My intention is to burst TCO buffer with multiple connections. 

There's another way to bust the TCP buffer?

--
You received this message because you are subscribed to a topic in the Google Groups "ns-3-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ns-3-users/5pt48MpIR38/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ns-3-users+...@googlegroups.com.
To post to this group, send email to ns-3-...@googlegroups.com.
Visit this group at http://groups.google.com/group/ns-3-users.
For more options, visit https://groups.google.com/d/optout.

--

Att,
Mike Santos Farias.

Graduando em Sistemas de Informação

Bolsista de Iniciação Científica - PIBIC/CNPQ
Presidente do Centro Acadêmico Livre de Computação - UFS 

Contato: mikesant...@gmail.com

              mike_...@hotmail.com
              (79) 8821-3108

[Tommaso Pecorella]

Hi,

it's not a problem of busting the buffers, it's a problem of limiting them beforehand. While real systems do have a limit on the memory allocated in the kernel for incoming TCP connections, ns-3 doesn't have one. You'll have first to limit that, otherwise you'll not see anything.

Cheers,

T.

[Mike Santos Farias]

Hi, Tommaso 

I managed to change the TCP buffer modifying files repos-ns3/ns-3-allinone/ns-3-dev/src/internet/model / tcp-tx-buffer and tcp-rx-buffer. But have not found a way to change the packet sent by the application on off and received by the application packetsink. 

It has how to change the ip packet source for the handshake is not completed? 

Reading about the possibility of completing the simulation of the attack with success, I saw that I could only analyze the results of the attack if I used the DCE. The Linux TCP stack, to be precise. Indeed the use of DCE is necessary? 

If the answer is yes, how can I explore the DCE to perform the attack?

[Tommaso Pecorella]

Hi,

DCE can help because you can use the Linux TCP/IP stack (and not only that) in ns-3.

However, as I said, you didn't understand what's the real basis on a SYN flood.

From http://en.wikipedia.org/wiki/SYN_flood

"A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic."

What are the "server resources" ?

It's the number of open (or half-open) TCP connections.

The incoming and outgoing TCP *data* buffers have little or nothing to do with that. Well, they could, but it's dependent on how the kernel is handling memory.

About how to change the IP source half-way in a connection establishment, you can NOT use a TCP socket for that. It would be like trying to perform a SYN flood by using a web browser. You'll have to use raw IP socket and craft your own (forged) IP and TCP headers.

T.

[md...@mst.edu]

Hi Mike,

     Have you solved the problem discussed? I am trying to simulate the syn flood attack and defense. Please let me know if you got something.

Thanks.