Synflooding a Linux

From: Ivan Wong (
Date: 10/19/03

  • Next message: whiplash: "Re: [despammed] Synflooding a Linux"
    Date: Mon, 20 Oct 2003 01:51:12 +0800 (CST)

    Dear all,
    I m carrying out a research on DDOS attack and
    defence. After I have written
    the code for synflood, I try it in my private network
    with a Linux victim, but
    the result is not what I have expected.
    The victim is a Redhat 8 (kernel 2.4). I start the
    httpd and listen on port
    80. Then from another host I run my synflood program
    to atatck port 80 with
    2000 syn packets. At the victim host, I expect it to
    open up 1024 half-open
    connections (from tcp_max_syn_backlog), and then stop
    listening to the port,
    hold the conenctions for a few minutes after the
    attack. But the result is
    that the victim just open 770 conenctions at maximum
    (I get this
    from "netstat -n grep SYN_RECV -c" ) no matter how
    many packets I flood. But
    at the same time I use tcpdump at victim to count the
    syn packets received,
    all 2000 packets are received. Why the kernel doesn't
    open up the remaining
    Also, about 200 out of the 770 half-opened conenctions
    are closed very
    quickly. within a few seconds, I use "netstat -n grep
    SYN_RECV -c" again and
    only about 500 left. Then these 500 behave "normally",
    open up until a few
    minutes later.
    Someone suggest tcpcookies, but I m sure my Linux
    doesn't have one (There is
    no such a file /proc/sys/net/ipv4/tcp_syncookie). Also
    I m sure it's not my
    attack code's problem (it's not difficult to generate
    syn packets with spoofed
    source address, right?) since I have used famous
    attacking tools such as
    neptune and syn4k but still get the same result.
    Does anyone has any idea? Thanks so much.

    浪漫鈴聲 情心連繫

  • Next message: whiplash: "Re: [despammed] Synflooding a Linux"

    Relevant Pages