DEV Community

Cover image for SYN Flood Attack
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Edited on

SYN Flood Attack

Despite the passage of time, some forms of attacks do not change, only their form is slightly modified. One of the simplest attacks that can be used in various ways is the SYN flood attack. In this regard, let's zoom in a bit on its image.

What is a SYN flood attack?

To illustrate this, let's recall how the TCP protocol works.

      TCP A                                                TCP B

  1.  CLOSED                                               LISTEN
  2.  SYN-SENT    --> <SEQ=100><CTL=SYN>               --> SYN-RECEIVED
  3.  ESTABLISHED <-- <SEQ=300><ACK=101><CTL=SYN,ACK>  <-- SYN-RECEIVED
  4.  ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK>       --> ESTABLISHED
  5.  ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK><DATA> --> ESTABLISHED
Enter fullscreen mode Exit fullscreen mode

What we need to know about this TCP communication is that the client (TCP A) sends a request to establish a connection, sending a SYN message to the server (TCP B). To this the server responds with a SYN-ACK message, and the client again sends a messageโ€Šโ€”โ€Šthis time ACK. In this way, a connection is established. Here we also get to the heart of the matter.

In a SYN flood attack, the attacker sends SYN packets one by one (it also often happens to different network ports). In this way, the server responds to each connection attempt with a SYN-ACK packet, with the ultimate goal of overloading and blocking the server's services.

Construction of the script

To begin with, let's look at a simple script prepared in Python.

from scapy.all import *

target_ip = "127.0.0.1"
target_port = 80

ip = IP(dst = target_ip)
tcp = TCP(sport = RandShort(), dport = target_port, flags = "S")

raw = Raw(b"X"*1024)
p = ip / tcp / raw
send(p, loop = 1, verbose = 0)
Enter fullscreen mode Exit fullscreen mode

First, we initialize a variable holding the ip and port of the attacked machine. Then we create a packet whose destination address is the address of the attacked server (IP(dst = target_ip)). At this point it is worth mentioning that if we wanted to spoof the IP address of the opening connection, we can specify the optional parameter src to in the creation of an instance of the IP class. In the following lines (TCP(sport = RandShort(), dport = target_port, flags = "S")) we create a SYN packet with a random source port and a destination port as target_port. It remains to create data (variable raw), create layers (ip / tcp / raw) and send the constructed packet in a loop. At best, the server will stop responding.

Sources

https://pl.wikipedia.org/wiki/SYN_flood
https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/

Top comments (0)