• Stars
    star
    205
  • Rank 191,264 (Top 4 %)
  • Language
    C
  • Created over 11 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Sockstress (TCP DoS) implementation.
      _____  ____   _____ _  __ _____ _______ _____  ______  _____  _____ 
     / ____|/ __ \ / ____| |/ // ____|__   __|  __ \|  ____|/ ____|/ ____|
    | (___ | |  | | |    | ' /| (___    | |  | |__) | |__  | (___ | (___  
     \___ \| |  | | |    |  <  \___ \   | |  |  _  /|  __|  \___ \ \___ \
     ____) | |__| | |____| . \ ____) |  | |  | | \ \| |____ ____) |____) |
    |_____/ \____/ \_____|_|\_\_____/   |_|  |_|  \_\______|_____/|_____/ 
                          
                               CVE-2008-4609
                     https://defuse.ca/sockstress.htm
   
                           By: [email protected]
                           Date: April 9, 2012

            This code is explicitly placed into the public domain.

  THIS CODE IS PROVIDED FOR EDUCATIONAL AND ETHICAL SECURITY TESTING PURPOSES 
  ONLY. THE AUTHOR IS NOT RESPONSIBLE FOR ILLEGAL USE OF, OR DAMAGE CAUSED 
  BY, THIS CODE. There is NO WARRANTY, to the extent permitted by law.

=== WHAT IS SOCKSTRESS? =====================================================

    Sockstress is a Denial of Service attack on TCP services discovered in
    2008 by Jack C. Louis from Outpost24 [1]. It works by using RAW sockets
    to establish many TCP connections to a listening service. Because the 
    connections are established using RAW sockets, connections are established
    without having to save any per-connection state on the attacker's machine.
    
    Like SYN flooding, sockstress is an asymmetric resource consumption attack:
    It requires very little resources (time, memory, and bandwidth) to run a 
    sockstress attack, but uses a lot of resources on the victim's machine.
    Because of this asymmetry, a weak attacker (e.g. one bot behind a cable 
    modem) can bring down a rather large web server.

    Unlike SYN flooding, sockstress actually completes the connections, and 
    cannot be thwarted using SYN cookies. In the last packet of the three-way 
    handshake a ZERO window size is advertised -- meaning that the client is 
    unable to accept data -- forcing the victim to keep the connection alive
    and periodically probe the client to see if it can accept data yet.

    This implementation of sockstress takes the idea a little further by 
    allowing the user to specify a payload, which will be sent along with the
    last packet of the three-way handshake, so in addition to opening a 
    connection, the attacker can request a webpage, perform a DNS lookup, etc.

    For more information on sockstress, see its Wikipedia page:
        https://secure.wikimedia.org/wikipedia/en/wiki/Sockstress

    [1] http://www.outpost24.com/

=== HOW DO I COMPILE SOCKSTRESS? ============================================

    The sockstress code has been tested on Debian Linux, using the GCC compiler.

    gcc -Wall -c sockstress.c
    gcc -pthread -o sockstress sockstress.o
    Or, if you have GNU Make, simply run 'make'.

=== HOW DO I USE SOCKSTRESS? ================================================

    *** WARNING: *** 
    The sockstress attack has been known to render operating systems 
    unbootable. NEVER run it on a production system unless all data has been 
    backed up and you are prepared to re-install the OS. Also be aware of 
    stateful routers between the attacker and victim, they might get overloaded
    too. You have been warned.

    Sockstress uses RAW sockets, so you must run the tool as root. You must
    also stop your OS from sending RST packets to the victim in response to
    unrecognized SYN/ACKs sent during the attack. To do so, set an iptables
    rule:
        # iptables -A OUTPUT -p TCP --tcp-flags rst rst -d xx.xx.xx.xx -j DROP
    Where xx.xx.xx.xx is the victim's IP address.

    To view the sockstress help menu, run:
        # ./sockstress -h

    To execute an attack, sockstress requires three parameters:
        1. Victim IP
        2. Victim port
        3. Network interface to send packets from (e.g. eth0)

    For example, to run an attack on port 80 on 127.0.0.1, run:
        # ./sockstress 127.0.0.1:80 eth0
    
    Sockstress also allows the user to control the delay between sent SYN 
    packets. This value is specified in microseconds with the -d option.
    For example, to send a SYN packet every second, run:
        # ./sockstress 127.0.0.1:80 eth0 -d 1000000

    You can also have sockstress send some data to the victim after the 
    connection has been established. Do this by specifying a file containing
    the data with the -p option. For example, to make HTTP requests:
        # ./sockstress 127.0.0.1:80 eth0 -p payloads/http
    ... where payloads/http contains:

    --- BEGIN: payloads/http ---
    GET / HTTP/1.0


    --- END: payloads/http ---
    
    Example payloads for making DNS requests, requesting web pages, and sending
    mail with SMTP are provided in the payloads folder.

    To run a sockstress attack against multiple ports, you must run multiple
    instances of the tool. The attack can be amplified by assigning many IP
    addresses to a single machine and running an instance of the attack from
    each IP. This improves the attack because sockstress will quickly establish
    a connection from every source port, so more IP addresses will be needed to
    open more connections (more sets of source ports).

=== HOW CAN I PREVENT SOCKSTRESS ATTACKS? ===================================

    The only way to completely prevent sockstress attacks is to whitelist
    access to TCP services. This is not practical in most situations, so the
    best that can be done is to rate limit connections with iptables.

    To block an IP after it opens more than 10 connections to port 80 within 
    30 seconds, install the following iptables rules:

    # iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
    # iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent  \
        --update --seconds 30 --hitcount 10 -j DROP

 Src: http://codingfreak.blogspot.ca/2010/01/iptables-rate-limit-incoming.html

    Note that sockstress attacks are still possible even with these rules in 
    place. The attacker just needs more IP addresses to mount a successful 
    attack.

=== WHERE CAN I FIND UPDATES? ===============================================

    Find more information and updates at: https://defuse.ca/sockstress.htm

=== IS RELEASING THIS CODE ETHICAL? =========================================

    Sockstress code has existed in the wild since (at least) 2011:
        http://h.ackack.net/sockstress.html
        http://www.2shared.com/file/L4VC9Wdp/sockstresstar.html
    
    Sockstress is still somewhat effective, however, any packet hacker could
    easily write a sockstress attack tool. For this reason, I feel it is best
    to release my sockstress tool so system administrators can test their
    systems and stronger defences can be developed.

    Pretending a problem doesn't exist won't make it go away.

More Repositories

1

php-encryption

Simple Encryption in PHP.
PHP
3,784
star
2

swatd

Run a script when one or more sensors fail.
C
869
star
3

password-hashing

Password hashing code.
PHP
856
star
4

crackstation-hashdb

CrackStation.net's Lookup Table Implementation.
PHP
365
star
5

flush-reload-attacks

Ruby
180
star
6

crackstation

Source code for my crackstation.net website.
Hack
132
star
7

passgen

A password generator.
C++
78
star
8

defuse.ca

The source code to my defuse.ca website.
HTML
67
star
9

phpcount

A unique hit counter that respects users' privacy.
PHP
62
star
10

email-spoofing

Ruby script for spoofing SMTP emails.
Ruby
43
star
11

php-passgen

Generating passwords in PHP.
PHP
38
star
12

gas-obfuscation

Extremely simple but inefficient x86-64 assembly obfuscation.
Ruby
34
star
13

dnsfs

Host files with DNS
Ruby
32
star
14

yescrypt

Non-C Implementations of the yescrypt KDF.
C
29
star
15

helloworld-cms

A simple content display system in PHP.
PHP
27
star
16

DAWr

The start of a library for building a DAW and/or sound experiments in Rust
Rust
26
star
17

airgap

Design for an economical and simple air-gapped system.
25
star
18

WinPassGen

A Windows Password Generator.
C
24
star
19

pastebin

The defuse.ca pastebin.
PHP
23
star
20

phphashcrack

A PHP hash cracker.
PHP
22
star
21

encutil

Example of how to build a command-line file encryption utility with defuse/php-encryption.
PHP
20
star
22

synergy-crack

Synergy 1.4.12 cracking tool.
Ruby
17
star
23

cuda-md5

Old NVIDIA CUDA implementation of salted MD5 brute-force
C++
17
star
24

ictm

A user-first approach to threat modeling.
14
star
25

x86rc4

A tiny x86 implementation of RC4
Assembly
13
star
26

php-newsgroups

Newsgroup-style PHP forum.
PHP
12
star
27

elfplayer

Visualize an ELF's execution
JavaScript
10
star
28

backup-verify

Tool for verifying backups and comparing directories.
Ruby
9
star
29

passgenr

A library for generating cryptographically-secure passwords in Rust.
Rust
8
star
30

canvas

Practice HTML5 Canvas.
JavaScript
6
star
31

textractor

Extract strings from files to make wordlists.
C#
6
star
32

vim

My GVim Configuration
Vim Script
6
star
33

image-passwords

HTML5 Canvas: Generating keys from memorable image sequences.
JavaScript
5
star
34

truecrypt-archive

Archive of all TrueCrypt 7.1a files
Standard ML
4
star
35

defuse_failover

(Old) How I used to do implement failover for defuse.ca.
Shell
4
star
36

gnutls-psk

Example TLS PSK client/server.
C
4
star
37

gadgetrie

A simple gadget finder for Return Oriented Programming
C
4
star
38

js-encryption

SJCL (JavaScript) encryption example.
JavaScript
3
star
39

vst_plugin

Example VST2 plugin in Rust.
Rust
2
star
40

eotp

https://defuse.ca/eotp.htm
Java
2
star
41

nova-extractor

WIP implementation of the extractor in Nova's security proof
Rust
2
star
42

passwordtrainer

A script for memorizing/practicing passwords.
Ruby
2
star
43

php-login

A (half-finished) PHP login system.
PHP
2
star
44

stemviz

JavaScript
2
star
45

https-mockups

Negative feedback for insecure web connections.
2
star
46

afl-demo

C
2
star
47

vimhl

Syntax highlighting in PHP with Vim.
PHP
2
star
48

sudoku-solver

A simple sudoku solver in Ruby
Ruby
2
star
49

pfs-experiments

Testing perfect forward secrecy in the short term.
Ruby
1
star
50

tix

A command-line ticket system in Ruby.
Ruby
1
star
51

bqp

Source code for my bqp.io website.
HTML
1
star
52

juggler-pow

A memory-but-not-time asymmetric proof-of-work function.
C
1
star
53

hypothetico-web

Hypothetico e-zine website
PHP
1
star
54

popularaccess

popularaccess.org
1
star
55

upload

File transfer upload script.
Shell
1
star
56

wavetool

A tool for processing/analyzing Serum wavetables.
Rust
1
star
57

nsa-letter

A letter to Canadian MPs about the NSA
1
star
58

qcircuitgen

Easily draw quantum circuits for LaTeX's picture environment
Ruby
1
star
59

codefiles

A Ruby on Rails blog.
Ruby
1
star