TCP SYN FLOOD and ETTERCAP (Man-in-the-Middle) ATTACKS.

TCP SYN FLOOD

WHAT IS A SYN FLOOD ATTACK

TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive.

Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network saturation.

ATTACK DESCRIPTION

When a client and server establish a normal TCP “three-way handshake,” the exchange can be shown as follow:

  1. Client requests connection by sending SYN (synchronize) message to the server.
  2. Server acknowledges by sending SYN-ACK (synchronize-acknowledge) message back to the client.
  3. Client responds with an ACK (acknowledge) message, and the connection is established.

In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted server, mostly using a fake IP address. The server, unaware of the attack, receives multiple, apparently legitimate requests to establish communication. It responds to each attempt with a SYN-ACK packet from each open port.

The malicious client either does not send the expected ACK, or if the IP address is spoofed never receives the SYN-ACK in the first place. Either way, the server under attack will wait for acknowledgement of its SYN-ACK packet for some time.

In this time, the server cannot close down the connection by sending an RST packet, and the connection stays open. Before the connection can time out, another SYN packet will arrive. This leaves an increasingly large number of connections half-open and indeed SYN flood attacks are also referred to as half-open attacks. Eventually, as the server’s connection overflow tables fill, service to legitimate clients will be denied, and the server may even malfunction or crash.

While the classic SYN flood described above tries to exhaust network ports, SYN packets can also be used in DDoS attacks that try to clog your pipes with fake packets to achieve network saturation. The type of packet is not important. Still, SYN packets are often used because they are the least likely to be rejected by default.

a

Source: – Ramil’s Tech Corner information technology blog.

 

MITIGATION METHODS

While modern operating systems are better equipped to manage resources, which makes it more difficult to overflow connection tables, servers are still vulnerable to SYN flood attacks.

There are a number of common techniques to mitigate SYN flood attacks:

  • Micro blocks
  • SYN cookies
  • RST cookies
  • Stack tweaking
The following link is containing a Demo of a TCP Syn attack,

Link : - https://goo.gl/UMuw8U

ETTERCAP- (Man-in-the-Middle) ATTACK

Overview Ettercap

Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN used for computer network protocol analysis and security auditing.

  • intercepts and alters traffic on a network segment,
  • captures passwords,
  • has powerful (and easy to use) filtering language that allows for custom scripting
  • conducts active eavesdropping against a number of common protocols:TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, Half-Life, Quake 3, MSN, YMSG!

b

Source: – Pentest magazine.

The man-in-the-middle attack (abbreviated MITM, MitM, MIM, MiM, and MITMA) is a form of active attack where an attacker makes a connection between the victims and send messages between them. Thus, victims think they are talking directly to each other, but actually an attacker controls it. In this scenario, an attacker has been successful when it can impersonate a user. On the other hand, a third person between you and the person with whom you are communicating exists and he can control and monitor your traffic. Fortunately, some protocols can prevent it, like SSL. A hacker can use the below software to implement this attack. Here it used the Ettercap.

  • Cain and Abel
  • Subterfuge
  • Ettercap
  • AirJack
  • SSLStrip
  • SSLSniff
The following link is containing a Demo of a Ettercap attack,

Link :-https://goo.gl/gh11Eo

 

 

 

Reference

[1] https://en.wikipedia.org/wiki
[2] http://searchsecurity.techtarget.com/definition/SYN-flooding 
[3] https://openmaniak.com/ettercap_filter.php
[4]https://charlesreid1.com/wiki/Man_in_the_Middle/Wired/ARP_Poisoning_with_Ettercap

 

S.H.M Lahiru Prabath Balasuriya.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s