Synflooding a Linux

• Previous message: Hal Flynn: "Administrivia: Your Response Requested"
• Next in thread: whiplash: "Re: [despammed] Synflooding a Linux"
• Reply: whiplash: "Re: [despammed] Synflooding a Linux"
• Reply: SBlaze: "Re: Synflooding a Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 20 Oct 2003 01:51:12 +0800 (CST)
To: focus-linux@securityfocus.com

Dear all,
 
I m carrying out a research on DDOS attack and
defence. After I have written
the code for synflood, I try it in my private network
with a Linux victim, but
the result is not what I have expected.
 
The victim is a Redhat 8 (kernel 2.4). I start the
httpd and listen on port
80. Then from another host I run my synflood program
to atatck port 80 with
2000 syn packets. At the victim host, I expect it to
open up 1024 half-open
connections (from tcp_max_syn_backlog), and then stop
listening to the port,
hold the conenctions for a few minutes after the
attack. But the result is
that the victim just open 770 conenctions at maximum
(I get this
from "netstat -n grep SYN_RECV -c" ) no matter how
many packets I flood. But
at the same time I use tcpdump at victim to count the
syn packets received,
all 2000 packets are received. Why the kernel doesn't
open up the remaining
connections?
 
Also, about 200 out of the 770 half-opened conenctions
are closed very
quickly. within a few seconds, I use "netstat -n grep
SYN_RECV -c" again and
only about 500 left. Then these 500 behave "normally",
open up until a few
minutes later.
 
Someone suggest tcpcookies, but I m sure my Linux
doesn't have one (There is
no such a file /proc/sys/net/ipv4/tcp_syncookie). Also
I m sure it's not my
attack code's problem (it's not difficult to generate
syn packets with spoofed
source address, right?) since I have used famous
attacking tools such as
neptune and syn4k but still get the same result.
 
Does anyone has any idea? Thanks so much.
 
Regards,
Ivan

_________________________________________________________
兩個人的幸運、亂世佳人、遇見...
浪漫鈴聲 情心連繫
http://ringtone.yahoo.com.hk/

• Previous message: Hal Flynn: "Administrivia: Your Response Requested"
• Next in thread: whiplash: "Re: [despammed] Synflooding a Linux"
• Reply: whiplash: "Re: [despammed] Synflooding a Linux"
• Reply: SBlaze: "Re: Synflooding a Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: I want to legitimise my XP ... LOL! ... I don't consider pointing out the truth to be an attack of any kind. ... "If the installed Windows is not legitimate integrity suggests the OP ... wanting to victimize the victim a second time. ... (microsoft.public.windowsxp.general) Re: I want to legitimise my XP ... posts and website that you need to attack to make your point. ... If the OP bought what the seller did not have for sale, ... Nope, my integrity is an extension of my common sense, and that says you ... At least I don't want a victim to be victimized twice over the same ... (microsoft.public.windowsxp.general) Re: HOW MEN ARE PUT DOWN AND HOW TO GET BACK UP! ... >> First attack non stop, ... >> Wait for the victim to get angry. ... Mothers have sons and husbands too. ... (soc.men) Re: Joan Diver-jogging murder case...hmmmm ... DNA from this crime link the suspect to other area rapes. ... Means of attack: The rapist jogged toward his victim, ... where he used gray duct tape to tape her mouth. ... (alt.true-crime) {NZ} I tried not to cry - lesbian sex attack victim speaks out ... 'I tried not to cry' - lesbian sex attack victim speaks out ... Oliver had told ... sexually violating a 16-year-old girl in Invercargill. ... The victim befriended her attackers after meeting Oliver through the ... (alt.true-crime)