Realization of a TCP Syn Flood attack using Kali Linux Текст научной статьи по специальности «Компьютерные и информационные науки»

CO <D

0

01

OH

LU

REALIZATION OF A TCP SYN FLOOD ATTACK USING KALI LINUX

CD

Dejan V. Vuletic3' Nemanja D. Nojkovicb

> a University of Defence in Belgrade, Strategic Research Institute,

y] b Serbian Armed Forces, General Staff,

Department for Telecommunication and Informatics (J-6),

0 Command Information Systems and IT Support Centre, ° Belgrade, Republic of Serbia, < e-mail: nemanjanojko@gmail.com,

1 ORCID iD: https://orcid.org/0000-0002-3216-1891

g DOI: 10.5937/vojtehg66-16419; https://doi.org/10.5937/vojtehg66-16419

Belgrade, Republic of Serbia,

e-mail: dejan.vuletic@mod.gov.rs,

ORCID iD: http://orcid.org/0000-0001-9496-2259

FIELD: Computer Sciences

£ ARTICLE TYPE: Professional Paper

< ARTICLE LANGUAGE: English

Summary:

Denial-of-Service (DoS) is a type of attack that attempts to prevent legitimate users from accessing network services. This is accomplished by AS overloading network services or by excessive connectivity, causing a drop GLA in a connection or a service. DoS tools are designed to send large ^ numbers of requests to the targeted server (usually web, FTP, e-mail

o server), in order to overwhelm server resources and make it unusable.

There are various ways in which attackers achieve this. One of the usual TE ways is simply overwhelming the server by sending too many requests.

o This will disable the normal functioning of the server (and the web pages

q will open more slowly), and in some cases it can lead to a situation that

> the server ceases to operate. This paper shows some effects of TCP Syn

Flood Attacks (using Kali Linux) through the change of processor utilization and the unavailability of the target computer (executing ping command).

Key words: DoS attack, Kali Linux, ping, processor utilization.

Introduction

The Transmission Control Protocol (TCP), unlike the User Datagram Protocol (UDP), is based on a connection, which means that the sending packet must establish a complete connection with its recipient or its intended recipient before sending any packets. This protocol relies on a three-way handshake mechanism (SYN, SYN-ACK, ACK) where each request forms a semi-open connection (SYN), a response request (SYN-ACK), and a confirmation to the response (ACK). Any attack attempting

to abuse the TCP/IP protocol would usually do this by sending the TCP packet in the wrong order, causing the target server to run out of resources. One of the examples of this type of attacks is TCP SYN Flood (Lawrence, 2012).

In the TCP handshake mechanism, there must be an arrangement between each side in order for the connection to be established. If a TCP client does not exist or it is a client with a fake IP address, such an arrangement is not possible. In a TCP SYN or SYN flood attack, attackers set the situation for the server to believe that they require a legitimate connection through a number of TCP requests that come from a fake IP address. In a situation when the client's IP address is fake or the client is unable to respond, the certificate (ACK packet) is never sent back from the server. The server is forced to maintain an open connection and buffer for each request for the original connection, attempting to resend the SYN-ACK packet request before the request expires. Having in mind the fact that server resources are limited and SYN flood often includes a huge number of connection requests, the server is unable to process existing requests before new requests arrive and this results in service termination.

Figure 1 shows the TCP SYN Flood attack pattern with corresponding messages sent between the server and a legitimate user, as well as the server and an attacker. As can be seen in the Figure, the connection confirmation does not arrive to the attacker as it does in the case with the legitimate user (Radware, 2013).

cn f CO

o CO

CO

£Z

o ro

T3

o o

OT CL O

ro .N

<U

CC "ro <u d

<U

Figure 1 - TCP SYN Flood (Radware, 2013) Puc. 1 - TCP SYN Flood (Radware, 2013) CnuKa 1 - TCP SYN Flood (Radware, 2013)

со ф

CD CD

"о

>

О

см

ОС LLJ

ОС ZD О

О _|

< с;

X О ш

н

>-

ОС <

Practical realization of TCP Syn Flood Attacks

To display the effects of TCP Syn Flood Attacks, we will use two computers that are connected to the same network. Kali Linux was installed on the attacking computer, as a virtual machine on Windows 10 using WMware Workstation 12 Player. The Windows 10 operating system is installed on the computer that will be attacked (Allen et al, 2014).

A computer that launches the attacks (the attacking computer).

Kali Linux based on the Debian distribution is installed on this computer (Hertzog et al, 2017). It contains the hping3 tool, which is a free generator and package analyzer for the TCP/IP protocol. Hping3 is produced by Salvatore Sanfilippo. A newer version of hping3 is a script version which uses TcI language (a simple language for creating a program) (Beggs, 2014), (Ansari, 2015).

Figure 2 shows the basic network virtual machine data obtained by typing the ifconfig command in the terminal on Kali Linux. The Figure shows that there is IP address information, subnet masks and other network card information.

(Л <

-J

CD >o

X Ш I—

о

О >

File Edit View Search Terminal. Help

:-ff ifconfig

ethO: flagS=<1163-=UP. BROADCAST,RUNNING .MULTICAST^ mtu 1500

Inet 192 .168 . 100. la netmask 255 .255 . 255 .0 broadcast 192.168,100.255

inetS feSCi : : 2©c : 29f f: fe74: 98ba prefixlen 64 scopeid Qx20cl_ink>

ether 00:Qc:29:74:93:ba txqueuelert I0SC {Ethernet)

RX packets 2216 bytes S18661 (799.4 Kifl)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 17394590 bytes 31S5739902 [2.9 GIB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

device interrupt 19 base Ox2O0Q

lo : riat}S=73^UP , LOtiPBACK, RUNNING» mtu 65536 Inet 127.0.0,1 netmask 255.0.0.0 inetS ::1 prefixlen 128 scopeid 0xl0<host^ "Loop txqueuelen 1 {Local Loopback) RX packets 20 bytes 1116 {1.0 K1B) RX errors 0 dropped 0 overruns 0 frane 0 TX packets 20 bytes 1116 {1.0 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@kal.i:-#

Figure 2 - Basic network virtual machine data Рис. 2 - Базовые данные на виртуальной машине Слика 2 - Основни подаци на виртуелноj машини

The attack is implemented through the terminal by typing the command hping3 with certain parameters (Figure 3):

■ The name of the used tool (hping3)

■ Number of packets to send (-c 1000)

■ Size of each packet that will be sent (-d 128)

The type of packages to be sent (-s represents the SYN packets) TCP Window Size (-w 64) The attacking port (-p 8000)

Type of Attack (- - flood). Flood mode - sending packet as fast as possible.

Using random source IP addresses (- rand-source) Address of the attacked computer (destination IP address)

File Edit View Search Terminal Help

:-» hpingB -с 10000 -d 128 -5 -w 64 -p 8000 --flood -•rand-source 192.168.100.9|

Figure 3 - Entering parameters on the attacking computer Рис. 3 - Ввод параметров в компьютер, с которого производится атака Слика 3 - Уношеъе параметара у рачунар щим се напада

Before the attack begins, we are checking the availability of the computer we are planning to attack in the Command Prompt on Windows 10, using the ping command.

Figure 4 shows that there is no problem in the connection and that the ping on the targeted computer was executed.

CO CO о CO !±

ro

CT £Z

<л

(Л

о го

тз о о

ю

Q_

о

го .Ы

"то ф

Q1

"то ф

d

ч—' ф

■

■

■

р У 192 163, ее 9 J 2

р У 192 168. ее 9 32

р У 192 168. ее 9 32 tllbS

У 192 168. ди 9 bytes 32 time

р У fr-стп 143 Iii«. ее 9 bytes 3Z tiiw

У bytr=

У 192 163. 9 22

192 168. 00 9 3 2

р У 192 168. ее 9 32

У 192 168, ее 9 32 time

У 192 168, ее 9 32 tll*S

192 168- ее 32

-Г ran l'iJ i<jü- ее 9

р У frai 132 163. ее 9 bytes 32 time

У fr-ön 192 168. ее 9 bytes 32

р 192 163. 00 9 bytes 32

р у 192 168 . ее 9 bytes 32 tlma

У 192 160 . 00 9 32 tine

У 192 168, ее 9 byies 32 titw

У 192 ICS. ев 9 32

р у 142 ies- ее 32

У fr-ют 192 168- еа 9 32

У 192 163. ее 9 32

У 192 163. ее 9 32 til«

р У 192 168 . ее 9 32 time

Figure 4 - Checking the availability of the targeted computer using the ping command Рис. 4 - Проверка доступности целевого компьютера с помощью команды ping Слика 4 - Провера доступности циъаног рачунара употребом ping команде

со ф

To increase the intensity of the attack, the command can be started from multiple terminals as shown in Figure 5.

CD CD

"5

>

0

01

ОС ш

ОС ZD О

О _|

< о

X

о ш

I>-

ОС <

Figure 5 - Starting attacks from multiple terminals Рис. 5 - Начало атак, нацеленных на несколько терминалов Слика 5 - Покреташа напада на више терминала

<л <

-j

О ■О

X ш I-

О

О >

After executing the command (realization of the attack) we again use the ping command to check the availability of the attacked computer. Figure 6 shows that the computer partially responds to this command (not always available).

Reply -f am 192.16a 100.3: byces-32 tii«-3ns TTL-fiJ

Request timed out-

Request tiiwd out.

Reply -from 192, ies 100.9: byte5*32 tli»e-i«rtis ttl«m

Request timed out.

Kpqwst timed gut.

timed out.

rism 192.16S 100. -9: by tel.-32 tine-443-113 TTL-64

¡Request timed out.

Request timed out.

Request timed out.

Request timed out.

RlMJIWSt timed out.

Request timed out.

Requeb t timed Out.

Reply -fгол 192.16S 100.9: bytes-32 tiae-75ns TTL-64

Request timed out.

Request tlned out.

Request timed out.

Rpquest timed out-

Request timed out.

timed Out.

timed out.

Request timed out.

pReply -from 192.168 100.9: bytes.32 tlme«73ns TTL-fed

Reply from 192,168 100.9: bytes-»32 tine*25iis TTL"64

Rpni.p^f timed out.

Request timed out.

Rt^ues С timed Out.

Figure 6 - Checking the availability of the targeted computer after the attack using the

ping command

Рис. 6 - Проверка доступности целевого компьютера после атаки, с помощью

команды ping

Слика 6 - Провера доступности циъаног рачунара, након напада, употребом ping

команде

A computer that will be attacked. We are watching events on this computer before and after the attack against it. Figure 7 shows the basic information about this computer using the ipconfig command in Windows Power Shall. In the Figure, we can see the IP address information, subnet masks, and other features of the network card.

Figure 7 - Data on the attacked computer Рис. 7 - Данные на взломанном компьютере Слика 7 - Подаци на нападнутом рачунару

After executing the command on Kali Linux, the performance of the attacked computer has changed, as shown in Figure 8. By comparing images, it can be noted that processor utilization has increased. In addition to the performance changes, the attack made the computer unable to respond to connection requests, as shown by the ping command Request timed out. Due to the attacks, the computer could not connect and communicate with another computer on the network.

cn f CO

о CO

ГО

£Z

<л

(Л

о го

тз о о

Ю Q_ О

го .Ы "го ф СС

"го ф

d +-<

Ф

The interruption of the attack on the terminals is accomplished by pressing the Ctrl + C key. In addition to the performance changing, after stopping the attack, the ping command begins to work normally (it shows that the computer is available). This is shown in Figure 9.

со 0)

со со

15 >

о

(N

ûf LJÜ

0£ Z) О

о <

о

X О ш

I— >-

ÛZ <

Task Manager Rie Options View

Processes Performance App history Startup Users Details Services

"in Ojt-СГй V s'A

'"««и Mftnwe írt-hOv^ fcív, Ulpï [ЧрЬ h?"

CPU

9% 0,97 GHz

Memory ■ 1,4/5,4 GB (41%)

Ethernet S; 0 R: 0 Kbps

Ethernet

S: OR: 0 Kbps

" Wi-Fi

S: 0 R: 0 Kbps

CPU

AMD A4-5000 APU with Radeon(TM) HD Grap...

■CPU

ire. 1.1! at

Disk 0 (C: D: E:)

Ethernet

Not connected

Mf/YWty U-UWlilM

Eltern«

h j UfiVi-SH»

60 seconds Utilization Speed

9% 0,97 GHz

Bluetooth (л) Fewer details ® Open Resource Monitor

79

Up time

0:21:09:59

Maximum speed; 1,50 GHz

Sockets: 1

Threads Handles Logical processors: 4

1321 36432 Visualization; Enabled

256KB 2,0 MB

□

pa В

[íwrurt

Il 4 fc

EitefïKt ■J F; il Kb pi

Wl-П "ü ! tóíÚyi

CPU A kip A4-SOQQ API! wilt. HriftrtTMi НП Í

VIRfalH

'Щ hj\

BbjCtBOth

FtAirMjli ß Cpw 'íKiiHíifei !:i

¿1 Iraifil.

13ft M1 сиг 70

Up im

0:20:57:07

Uk. . .i I.UGUr

fccw* !

ГЬгяй HiMta ЬчяЫрвдшик J

1ÏK 36176 ■ = ■ г«*"

ЯП! ¿0M9

Figure 8 - CPU utilization before and during the attack Рис. 8 - Загруженность процессора до и после атаки Слика 8 - ИскоришИеност процесора пре и током напада

(Л <

.J

О >о

X

ш

I—

О

О >

! from 192. Г fnom 192 t -from 1-Э2. f from 192 Г -From 192

.00. 9 :

.00.9: toytes-32

00.54 bytes«32 bytes-32

eer?: bytes-32

.00-9: bytes-32

вв .9: bytP=-33

.00.9: bytCs-32

.00.9: bytes-32

.00.9! bytes-32

O0.9: bytes-32

es.s-i bytes-32

BB.9: bytes-32

вв.»: bytes-32

00.9: bytes-32

00-9: bytes-32

.00.9: bytes-32

3Sais T 6ns TTI 38*is T" HIS ffl 3ns TTI

12*15 T 4ns TTI 6ns TTI 7ns TTI

T

tine—Tns 1

tine-3ns 1

L-frS -6A L-M

Figure 9 - Appearance of the screen when the attack is completed and the ping

command is given Рис. 9 - Экран после завершения атаки и после команды ping Слика 9 - Изглед екрана када ]е напад завршен и задата ping команда

Conclusion

Every system that is connected to the Internet and equipped with TCP-based network services is a potential victim of an attack. The earliest form of DoS attack was SYN flood, which originated in 1996 and exploits weaknesses in the TCP. Other attacks exploit weaknesses in

operating systems and applications, leading to the inaccessibility of network services or even cesation of server operation.

Classic DoS attacks are one-on-one attacks in which a powerful host generates traffic that "overwhelms" the target host's connection, which hinders authorized clients from accessing network services. Distributed Denial of Service (DDoS) is a type of DoS attack that is used by multiple users. DDoS attacks have gone a step further, which is multiplying, resulting in the fact that servers or parts of the network can be totally unusable for clients.

There are several ways to execute DoS attacks such as TCP SYN Flood attack which can be done with different tools, such as Kali Linux.

References

Allen, L., Heriyanto, T. & Ali, S. 2014. Kali Linux - Assuring Security by Penetration Testing. Birmingham, UK: Packt Publishing, pp.14-28.

Ansari, A.J. 2015. Web Penetration Testing with Kali Linux. Birmingham, UK: Packt Publishing, p.4.

Beggs, R.W. 2014. Mastering Kali Linux for Advanced Penetration Testing. Birmingham, UK: Packt Publishing, pp.315-316.

Hertzog, R., Aharoni, M., & O'Gorman, J. 2017. Kali Linux Revealed: Mastering the Penetration Testing Distribution. Offsec Press.

Lawrence, C.M. 2012. DDoS For Dummies, Corero Network Security Edition. [e-book]. Hoboken, New Jersey: John Wiley & Sons. Available at: http://crezer.net/Newsletter/archivos/DDoS.pdf. Accessed: 10.02.2018.

-Radware. 2013. DDoS Survival Handbook. [e-book]. Radware, Ltd. Available at: https://security.radware.com/uploadedfiles/resources_and_content/ddos_handbook/d dos_handbook.pdf. Accessed: 10.02.2018.

РЕАЛИЗАЦИЯ TCP SYN FLOOD АТАК С ИСПОЛЬЗОВАНИЕМ KALI LINUX

Деян В. Вулетича, Немала Д. Нойкович6

а Университет обороны в г. Белград, Институт стратегических

исследований, г. Белград, Республика Сербия 6 Вооружённые Силы Республики Сербия, Генеральный штаб, Управление информатики и телекоммуникаций (J-6), Центр командно-информационных систем, г. Белград, Республика Сербия

ОБЛАСТЬ: компьютерные науки

ВИД СТАТЬИ: профессиональная статья

ЯЗЫК СТАТЬИ: английский

СП

6-

о

.6 CP

го

сл с <л

(Л

о го

тз о о

ю

Q_ О

го .Ы "то ф ОС

"то

ф

d

Ч—' ф

0

01

« Резюме:

<D

Хакерская атака «отказ в обслуживании» (Denial-of-Service - DoS) -это вид взлома вычислительной системы с целью довести её до <о отказа, то есть создание таких условий, при которых

о добросовестные пользователи системы не могут получить

доступ к предоставляемым системным ресурсам (серверам), либо этот доступ становится значительно затруднённым. DoS инструменты отсылают большое количество запросов целевому 2Î серверу (как правило web, FTP, электронная почта), перезагружая

S его ресурсы, что в итоге приводит к отказу в обслуживании.

о Хакерами разработано несколько методов для достижения своей

° цели. Один из них - это чрезмерная перезагрузка сервера

< огромным количеством запросов. Данные действия мешают нормальной работе сервера (вследствие чего web-страницы

^ намного медленнее открываются), а в некоторых случаях это

ш может привести к полному отказу в обслуживании. В данной

>- статье были представлены отдельные эффекты TCP Syn Flood

< Attacks (с использованием Kali Linux), отражаемые в изменениях загруженности процессора и недоступности целевого компьютера (для ping команды).

Ключевые слова: DoS атака, Kali Linux, ping, загруженность

fâ процессора.

<

« РЕАЛИЗАЦША TCP SYN FLOOD НАПАДА УПОТРЕБОМ КАЛИ

ЛИНУКСА

Деjан В. Вулетип3, Немала Д. Hоjковиftб

Универзитет одбране у Београду, Институт за стратеги]ска ^ истражива^а, Београд, Република Срби]а

g б Во]ска Срби]е, Генералштаб, Управа за телекомуникаци]е и

> информатику (J-6), Центар за командно-информационе системе и подршку,

Београд, Република Срби]а

ОБЛАСТ: рачунарске науке ВРСТА ЧЛАНКА: стручни чланак JЕЗИК ЧЛАНКА: енглески

Сажетак:

Напад одбщаша услуга (Denial-of-Service - DoS) врста je напада щим се спречава да овлашпени корисници приступе одговараjуfíим мрежним услугама. То се постиже преоптерепеъем мрежних услуга или прекобро]ним конекц^ама, што доводи до прекида (отежане) конекц^е или услуге. DoS алати шаъу велики броj захтева циъаном серверу (обично web, FTP, e-mail сервер) ради преоптерепеъа ньегових ресурса, чинепи га на таj начин неупотребъивим. Jeдан од честих начина на ще нападачи то

постижу jecme преоптерепеше сервера слашем великое 6poja захтева. Таква активност онемоеупипе нормално функционисаше ¿ сервера (и web странице пе се отварати много спорте), па пе у g неким случаjевима престати и да функционише. У чланку су g-приказани одре^ени ефекти TCP Syn Flood Attacks (употребом Kali Linux-а) кроз промену искоришпености процесора и недоступности циъаное рачунара (извршавашем ping команде).

Къучне речи: DoS напад, Kali Linux, ping, искоришпеност * процесора.

го

Paper received on / Дата получения работы / Датум приема чланка: 02.02.2018. Manuscript corrections submitted on / Дата получения исправленной версии работы / Датум достав^а^а исправки рукописа: 13.04.2018.

Paper accepted for publishing on / Дата окончательного согласования работы / Датум -коначног прихвата^а чланка за об]ав^ива^е: 15.04.2018.

od

© 2018 The Authors. Published by Vojnotehnicki glasnik / Military Technical Courier о

(www.vtg.mod.gov.rs, втг.мо.упр.срб). This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license ^

(http://creativecommons.org/licenses/by/3.0/rs/). ^

© 2018 Авторы. Опубликовано в «Военно-технический вестник / VojnotehniCki glasnik / Military ^

Technical Courier» (www.vtg.mod.gov.rs, втг.мо.упр.срб). Данная статья в открытом доступе и распространяется в соответствии с лицензией «Creative Commons» (http://creativecommons.org/licenses/by/3.0/rs/).

a

© 2018 Аутори. Обjавио Воjнотехнички гласник / VojnotehniCki glasnik / Military Technical Courier = (www.vtg.mod.gov.rs, втг.мо.упр.срб). Ово jе чланак отвореног приступа и дистрибуира се у ф

складу са Creative Commons licencom (http://creativecommons.org/licenses/by/3.0/rs/). ^

al

t e

d

ti e