-
Stars205
-
Rank 185,164 (Top 4 %)
-
LanguageC
-
Created about 11 years ago
-
Updated over 6 years ago
Reviews
There are no reviews yet. Be the first to send feedback to the community and the maintainers!
Repository Details
Sockstress (TCP DoS) implementation.
_____ ____ _____ _ __ _____ _______ _____ ______ _____ _____
/ ____|/ __ \ / ____| |/ // ____|__ __| __ \| ____|/ ____|/ ____|
| (___ | | | | | | ' /| (___ | | | |__) | |__ | (___ | (___
\___ \| | | | | | < \___ \ | | | _ /| __| \___ \ \___ \
____) | |__| | |____| . \ ____) | | | | | \ \| |____ ____) |____) |
|_____/ \____/ \_____|_|\_\_____/ |_| |_| \_\______|_____/|_____/
CVE-2008-4609
https://defuse.ca/sockstress.htm
By: [email protected]
Date: April 9, 2012
This code is explicitly placed into the public domain.
THIS CODE IS PROVIDED FOR EDUCATIONAL AND ETHICAL SECURITY TESTING PURPOSES
ONLY. THE AUTHOR IS NOT RESPONSIBLE FOR ILLEGAL USE OF, OR DAMAGE CAUSED
BY, THIS CODE. There is NO WARRANTY, to the extent permitted by law.
=== WHAT IS SOCKSTRESS? =====================================================
Sockstress is a Denial of Service attack on TCP services discovered in
2008 by Jack C. Louis from Outpost24 [1]. It works by using RAW sockets
to establish many TCP connections to a listening service. Because the
connections are established using RAW sockets, connections are established
without having to save any per-connection state on the attacker's machine.
Like SYN flooding, sockstress is an asymmetric resource consumption attack:
It requires very little resources (time, memory, and bandwidth) to run a
sockstress attack, but uses a lot of resources on the victim's machine.
Because of this asymmetry, a weak attacker (e.g. one bot behind a cable
modem) can bring down a rather large web server.
Unlike SYN flooding, sockstress actually completes the connections, and
cannot be thwarted using SYN cookies. In the last packet of the three-way
handshake a ZERO window size is advertised -- meaning that the client is
unable to accept data -- forcing the victim to keep the connection alive
and periodically probe the client to see if it can accept data yet.
This implementation of sockstress takes the idea a little further by
allowing the user to specify a payload, which will be sent along with the
last packet of the three-way handshake, so in addition to opening a
connection, the attacker can request a webpage, perform a DNS lookup, etc.
For more information on sockstress, see its Wikipedia page:
https://secure.wikimedia.org/wikipedia/en/wiki/Sockstress
[1] http://www.outpost24.com/
=== HOW DO I COMPILE SOCKSTRESS? ============================================
The sockstress code has been tested on Debian Linux, using the GCC compiler.
gcc -Wall -c sockstress.c
gcc -pthread -o sockstress sockstress.o
Or, if you have GNU Make, simply run 'make'.
=== HOW DO I USE SOCKSTRESS? ================================================
*** WARNING: ***
The sockstress attack has been known to render operating systems
unbootable. NEVER run it on a production system unless all data has been
backed up and you are prepared to re-install the OS. Also be aware of
stateful routers between the attacker and victim, they might get overloaded
too. You have been warned.
Sockstress uses RAW sockets, so you must run the tool as root. You must
also stop your OS from sending RST packets to the victim in response to
unrecognized SYN/ACKs sent during the attack. To do so, set an iptables
rule:
# iptables -A OUTPUT -p TCP --tcp-flags rst rst -d xx.xx.xx.xx -j DROP
Where xx.xx.xx.xx is the victim's IP address.
To view the sockstress help menu, run:
# ./sockstress -h
To execute an attack, sockstress requires three parameters:
1. Victim IP
2. Victim port
3. Network interface to send packets from (e.g. eth0)
For example, to run an attack on port 80 on 127.0.0.1, run:
# ./sockstress 127.0.0.1:80 eth0
Sockstress also allows the user to control the delay between sent SYN
packets. This value is specified in microseconds with the -d option.
For example, to send a SYN packet every second, run:
# ./sockstress 127.0.0.1:80 eth0 -d 1000000
You can also have sockstress send some data to the victim after the
connection has been established. Do this by specifying a file containing
the data with the -p option. For example, to make HTTP requests:
# ./sockstress 127.0.0.1:80 eth0 -p payloads/http
... where payloads/http contains:
--- BEGIN: payloads/http ---
GET / HTTP/1.0
--- END: payloads/http ---
Example payloads for making DNS requests, requesting web pages, and sending
mail with SMTP are provided in the payloads folder.
To run a sockstress attack against multiple ports, you must run multiple
instances of the tool. The attack can be amplified by assigning many IP
addresses to a single machine and running an instance of the attack from
each IP. This improves the attack because sockstress will quickly establish
a connection from every source port, so more IP addresses will be needed to
open more connections (more sets of source ports).
=== HOW CAN I PREVENT SOCKSTRESS ATTACKS? ===================================
The only way to completely prevent sockstress attacks is to whitelist
access to TCP services. This is not practical in most situations, so the
best that can be done is to rate limit connections with iptables.
To block an IP after it opens more than 10 connections to port 80 within
30 seconds, install the following iptables rules:
# iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
# iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent \
--update --seconds 30 --hitcount 10 -j DROP
Src: http://codingfreak.blogspot.ca/2010/01/iptables-rate-limit-incoming.html
Note that sockstress attacks are still possible even with these rules in
place. The attacker just needs more IP addresses to mount a successful
attack.
=== WHERE CAN I FIND UPDATES? ===============================================
Find more information and updates at: https://defuse.ca/sockstress.htm
=== IS RELEASING THIS CODE ETHICAL? =========================================
Sockstress code has existed in the wild since (at least) 2011:
http://h.ackack.net/sockstress.html
http://www.2shared.com/file/L4VC9Wdp/sockstresstar.html
Sockstress is still somewhat effective, however, any packet hacker could
easily write a sockstress attack tool. For this reason, I feel it is best
to release my sockstress tool so system administrators can test their
systems and stronger defences can be developed.
Pretending a problem doesn't exist won't make it go away.
More Repositories
1
php-encryption
Simple Encryption in PHP.PHP
3,721
2
swatd
Run a script when one or more sensors fail.C
860
3
password-hashing
Password hashing code.PHP
857
4
crackstation-hashdb
CrackStation.net's Lookup Table Implementation.PHP
350
5
flush-reload-attacks
Ruby
177
6
crackstation
Source code for my crackstation.net website.
Hack
122
7
passgen
A password generator.C++
77
8
defuse.ca
The source code to my defuse.ca website.HTML
63
9
phpcount
A unique hit counter that respects users' privacy.PHP
61
10
email-spoofing
Ruby script for spoofing SMTP emails.Ruby
43
11
php-passgen
Generating passwords in PHP.PHP
38
12
dnsfs
Host files with DNSRuby
32
13
gas-obfuscation
Extremely simple but inefficient x86-64 assembly obfuscation.Ruby
32
14
yescrypt
Non-C Implementations of the yescrypt KDF.C
28
15
helloworld-cms
A simple content display system in PHP.PHP
27
16
airgap
Design for an economical and simple air-gapped system.
24
17
DAWr
The start of a library for building a DAW and/or sound experiments in RustRust
24
18
pastebin
The defuse.ca pastebin.PHP
23
19
WinPassGen
A Windows Password Generator.C
23
20
phphashcrack
A PHP hash cracker.PHP
22
21
encutil
Example of how to build a command-line file encryption utility with defuse/php-encryption.PHP
20
22
synergy-crack
Synergy 1.4.12 cracking tool.Ruby
17
23
cuda-md5
Old NVIDIA CUDA implementation of salted MD5 brute-forceC++
17
24
ictm
A user-first approach to threat modeling.
14
25
x86rc4
A tiny x86 implementation of RC4Assembly
13
26
php-newsgroups
Newsgroup-style PHP forum.PHP
12
27
elfplayer
Visualize an ELF's executionJavaScript
11
28
backup-verify
Tool for verifying backups and comparing directories.Ruby
9
29
passgenr
A library for generating cryptographically-secure passwords in Rust.Rust
8
30
textractor
Extract strings from files to make wordlists.C#
6
31
vim
My GVim ConfigurationVim Script
6
32
image-passwords
HTML5 Canvas: Generating keys from memorable image sequences.JavaScript
5
33
canvas
Practice HTML5 Canvas.JavaScript
5
34
gadgetrie
A simple gadget finder for Return Oriented ProgrammingC
5
35
truecrypt-archive
Archive of all TrueCrypt 7.1a files
Standard ML
4
36
defuse_failover
(Old) How I used to do implement failover for defuse.ca.Shell
4
37
gnutls-psk
Example TLS PSK client/server.C
4
38
js-encryption
SJCL (JavaScript) encryption example.JavaScript
3
39
afl-demo
C
3
40
vst_plugin
Example VST2 plugin in Rust.Rust
2
41
eotp
https://defuse.ca/eotp.htmJava
2
42
nova-extractor
WIP implementation of the extractor in Nova's security proofRust
2
43
passwordtrainer
A script for memorizing/practicing passwords.Ruby
2
44
php-login
A (half-finished) PHP login system.PHP
2
45
stemviz
JavaScript
2
46
https-mockups
Negative feedback for insecure web connections.
2
47
sudoku-solver
A simple sudoku solver in RubyRuby
2
48
pfs-experiments
Testing perfect forward secrecy in the short term.Ruby
1
49
tix
A command-line ticket system in Ruby.Ruby
1
50
bqp
Source code for my bqp.io website.HTML
1
51
juggler-pow
A memory-but-not-time asymmetric proof-of-work function.C
1
52
upload
File transfer upload script.Shell
1
53
popularaccess
popularaccess.org
1
54
hypothetico-web
Hypothetico e-zine websitePHP
1
55
nsa-letter
A letter to Canadian MPs about the NSA
1
56
vimhl
Syntax highlighting in PHP with Vim.PHP
1
57
wavetool
A tool for processing/analyzing Serum wavetables.Rust
1
58
qcircuitgen
Easily draw quantum circuits for LaTeX's picture environmentRuby
1
59
codefiles
A Ruby on Rails blog.Ruby
1