A Denial of Service (DoS) attack is a type of cyber attack where the attacker attempts to make a network, website, or service unavailable to its intended users.
One common method of DoS attack is the TCP SYN flood, which exploits a weakness in the TCP connection establishment process to overwhelm the target with connection requests.
In this article, we will demonstrate how to perform a TCP SYN flood attack using hping3 and how to detect the attack using Snort on a Linux machine.
Prerequisites
- Apache Web Server: Apache is an open-source web server that will be used as the target for the DoS attack. To install Apache on a Debian-based Linux distribution such as Ubuntu, run the following command:
sudo apt-get update
sudo apt-get install apache2
sudo systemctl start apache22. hping3: hping3 is a network packet crafting and injection tool that can be used to perform a TCP SYN flood attack. To install hping3 on a Debian-based Linux distribution, run the following command:
sudo apt-get update
sudo apt-get install hping33. Wireshark: Wireshark is a network protocol analyzer tool that can be used to capture and examine network traffic. To install Wireshark on a Debian-based Linux distribution, run the following command:
sudo apt-get update
sudo apt-get install wireshark4. Snort: Snort is an open-source network intrusion detection and prevention system that can be used to detect and prevent DoS attacks. To install Snort on a Debian-based Linux distribution, follow the instructions on this website
Once all of the prerequisites are installed and set up, you will be ready to proceed with the demonstration of the TCP SYN flood attack and detection using Snort.
Configuring Bridged Adapter settings for the VM’s
In order to perform a TCP SYN flood attack on a virtual machine (VM) running Apache web server, we will need to set up two VM’s: one as the attacker and one as the victim. In order to allow the attacker VM to communicate with the victim VM, we will need to configure a bridged adapter for both VM’s.
Bridging allows a VM to connect to a physical network as if it were a physical device on the network. This allows the VM to communicate with other devices on the network, including the victim VM.
To configure a bridged adapter for a VM on VirtualBox, follow these steps:
- Open the VirtualBox Manager and select the VM that you want to configure.
- Click on the “Settings” button.
- In the “Network” section, select “Bridged Adapter” from the “Attached to” dropdown menu.
- Click on the “Advanced” button and select the network adapter that you want to use for bridging.
- Click “OK” to save the changes.
Incase of any confusion, please refer to the following video:
https://www.youtube.com/watch?v=zeFgKOVL5gc
You will need to repeat these steps for both the attacker and victim VM’s.
To find the IP addresses of the VM’s, you can use the following command:
To find the IP addresses of the VM’s, you can use the following command:
ifconfig
This will display the network interfaces and their associated IP addresses. Look for the interface that is associated with the bridged adapter (e.g. “eth0”) and note its IP address.
To access the website from the attacker VM, you can use a web browser to visit the IP address of the victim VM. For example, if the victim VM’s IP address is 192.168.56.106, you can access the website by visiting “http://192.168.56.106/" in the web browser.
DOS Attack using hping3
This will take place on the attacker VM.
hping3 is a network packet crafting and injection tool that can be used to perform various types of network attacks, including the TCP SYN flood attack.
It works by sending a large number of TCP SYN packets to the target IP address, attempting to establish a connection. The target system responds with a SYN-ACK packet, but the attacker never completes the connection by sending an ACK packet.
This leaves the target system with a large number of half-open connections, which can consume resources and eventually cause the system to become unresponsive or crash.
The command that used will be
sudo hping3 192.168.56.106 -p 80 -S --flood --rand-source, which tells hping3 to send a flood of TCP SYN packets to the IP address 192.168.56.106.
-p 80 indicates the packets should be sent via port 80
-S flag tells hping3 to send SYN packets
--flood flag tells it to send a flood of packets.
--rand-source flag tells hping3 to use random source IP addresses for the packets.
To monitor the TCP SYN flood attack, the attacker can launch Wireshark and select the network interface that the packets are going through(e.g. “eth0”).
Wireshark will display a live capture of the network traffic, including the TCP SYN packets being sent by the attacker. The screenshot below will show a large number of SYN packets being sent to the victim system, but no ACK packets being received in response.
If the website is still accessible after the attack, the reader can try launching another hping3 instance and observe the effect. It may be necessary to launch multiple hping3 instances in order to completely overwhelm the victim system and make the website completely inaccessible. Alternatively, a smaller number of hping3 instances may be used to slow down access to the website.
When you are finished with the attack, be sure to close all hping3 instances and restart the VM’s if they become overloaded or frozen.
Intrusion Detection Systems (IDS) — Snort
This will now take place on the victim VM.
An Intrusion Detection System (IDS) is a security tool that monitors network traffic for signs of malicious activity or policy violations. When an IDS detects a suspicious activity, it generates an alert or notification. IDS’s can be configured to take a range of actions in response to an alert, such as blocking the malicious traffic, raising an alarm, or logging the event for further analysis.
Snort is an open-source IDS that can be used to detect and prevent a range of network attacks, including the TCP SYN flood attack. Snort works by analyzing network traffic and comparing it to a set of rules that define what constitutes malicious or suspicious activity. When Snort detects a match with one of its rules, it generates an alert and takes the configured action.
To configure Snort to detect a TCP SYN flood attack, we need to edit the file /etc/snort/snort.debian.conf to change the default output format and add a custom rule.
To change the default output format, open the file with root privileges and edit the line starting with DEBIAN_SNORT_OPTIONS as follows:
DEBIAN_SNORT_OPTIONS="-A full"
This tells Snort to use the “full” alert format, which includes detailed information about the alert.
To add a custom rule for TCP SYN flood detection, open the file /etc/snort/rules/dos.rules with root privileges and add the following rules as new lines at the end:
alert tcp any any -> $HOME_NET 80 (flags: S; msg:”Possible TCP SYN flood”;
detection_filter: track by_dst, count 50, seconds 10; sid:1000001;)
This rule tells Snort to generate an alert when it sees 50 SYN packets from the same source IP address to port 80 on the home network within a 10-second window.
The “sid” field (sid:1000001) is a unique identifier for the rule, which can be used to track and reference the alert.
After adding the custom rule, execute the following command to restart Snort:
/etc/init.d/snort restart
This will apply the changes and activate the custom rule.
To test the Snort configuration, run the attack described in the previous section using a single hping3 instance. Then, monitor the log file using the following command:
tail -f /var/log/snort/alert
This will display the alerts generated by Snort in real-time. If the attack is detected, you should see an alert with the sid 1000001, indicating that the TCP SYN flood rule has been triggered.
