TCP SYN FLOOD
WHAT IS A SYN FLOOD ATTACK
TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive.
Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network saturation.
When a client and server establish a normal TCP “three-way handshake,” the exchange can be shown as follow:
- Client requests connection by sending SYN (synchronize) message to the server.
- Server acknowledges by sending SYN-ACK (synchronize-acknowledge) message back to the client.
- Client responds with an ACK (acknowledge) message, and the connection is established.
In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted server, mostly using a fake IP address. The server, unaware of the attack, receives multiple, apparently legitimate requests to establish communication. It responds to each attempt with a SYN-ACK packet from each open port.
The malicious client either does not send the expected ACK, or if the IP address is spoofed never receives the SYN-ACK in the first place. Either way, the server under attack will wait for acknowledgement of its SYN-ACK packet for some time.
In this time, the server cannot close down the connection by sending an RST packet, and the connection stays open. Before the connection can time out, another SYN packet will arrive. This leaves an increasingly large number of connections half-open and indeed SYN flood attacks are also referred to as “half-open” attacks. Eventually, as the server’s connection overflow tables fill, service to legitimate clients will be denied, and the server may even malfunction or crash.
While the “classic“ SYN flood described above tries to exhaust network ports, SYN packets can also be used in DDoS attacks that try to clog your pipes with fake packets to achieve network saturation. The type of packet is not important. Still, SYN packets are often used because they are the least likely to be rejected by default.
Source: – Ramil’s Tech Corner information technology blog.
While modern operating systems are better equipped to manage resources, which makes it more difficult to overflow connection tables, servers are still vulnerable to SYN flood attacks.
There are a number of common techniques to mitigate SYN flood attacks:
- Micro blocks
- SYN cookies
- RST cookies
- Stack tweaking
The following link is containing a Demo of a TCP Syn attack, Link : - https://goo.gl/UMuw8U
ETTERCAP- (Man-in-the-Middle) ATTACK
Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN used for computer network protocol analysis and security auditing.
- intercepts and alters traffic on a network segment,
- captures passwords,
- has powerful (and easy to use) filtering language that allows for custom scripting
- conducts active eavesdropping against a number of common protocols:TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, Half-Life, Quake 3, MSN, YMSG!
Source: – Pentest magazine.
The man-in-the-middle attack (abbreviated MITM, MitM, MIM, MiM, and MITMA) is a form of active attack where an attacker makes a connection between the victims and send messages between them. Thus, victims think they are talking directly to each other, but actually an attacker controls it. In this scenario, an attacker has been successful when it can impersonate a user. On the other hand, a third person between you and the person with whom you are communicating exists and he can control and monitor your traffic. Fortunately, some protocols can prevent it, like SSL. A hacker can use the below software to implement this attack. Here it used the Ettercap.
- Cain and Abel
The following link is containing a Demo of a Ettercap attack, Link :-https://goo.gl/gh11Eo
S.H.M Lahiru Prabath Balasuriya.