How to test synflood prevention

How to test synflood prevention

[Peggy Kam]

Hi,

I have set up some rules for preventing the synflood attack, ie:

iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -A SYN_FLOOD -j DROP
iptables -A SYN_FLOOD -i eth1 -p tcp ! --syn -m state --state NEW -j DROP

However, the firewall does not seem to filter any packets.  I have used 
the following tcpflood.c program to generate the flood, however, when I 
used tcpdump and checked the message log with the firewall with and 
without the above rules, they gave me the same results.  So, may I ask 
how I can test the firewall for DoS attack?

Thanks in advance,
Peggy



#tcpflood.c

#include <unistd.h>
#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/types.h>


int main(int argc, char **argv) {

  struct sockaddr_in to_addr;
  int s;

  bzero(&to_addr, sizeof(to_addr));
  to_addr.sin_family=AF_INET;


  if ( argc == 3 ) {
        to_addr.sin_addr.s_addr=inet_addr(argv[1]);
        to_addr.sin_port=htons(atoi(argv[2]));
  }

  else {
        fprintf(stderr, "Usage: %s <IP> <PORT>\n", argv[0]);
        return 1;
  }

  printf("Flooding  %s:%d ...\n", argv[1], atoi(argv[2]));

  while (1) {

        if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
                fprintf(stderr, "Error: socket()\n");
                return 1;
        }

        if ((connect(s, (struct sockaddr *)&to_addr, sizeof to_addr)) < 0) {
                perror("connect()");
                return 1;
        }


        printf(".");
        fflush(stdout);
        close(s);

  }

  return 0;

}

                           

RE: How to test synflood prevention

[Daniel Chemko]

Try using raw sockets and cook your own headers, or just use tools that
are designed for it, like netcat

Peggy Kam wrote:
> Hi,
> 
> I have set up some rules for preventing the synflood attack, ie:
> 
> iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 4 -j ACCEPT
> iptables -A SYN_FLOOD -j DROP
> iptables -A SYN_FLOOD -i eth1 -p tcp ! --syn -m state --state NEW -j
> DROP 
> 
> However, the firewall does not seem to filter any packets.  I have
> used 
> the following tcpflood.c program to generate the flood, however, when
> I used tcpdump and checked the message log with the firewall with and
> without the above rules, they gave me the same results.  So, may I ask
> how I can test the firewall for DoS attack?
> 
> Thanks in advance,
> Peggy
> 
> 
> 
> #tcpflood.c
> 
> #include <unistd.h>
> #include <stdio.h>
> #include <netdb.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> #include <sys/types.h>
> 
> 
> int main(int argc, char **argv) {
> 
>   struct sockaddr_in to_addr;
>   int s;
> 
>   bzero(&to_addr, sizeof(to_addr));
>   to_addr.sin_family=AF_INET;
> 
> 
>   if ( argc == 3 ) {
>         to_addr.sin_addr.s_addr=inet_addr(argv[1]);
>         to_addr.sin_port=htons(atoi(argv[2]));
>   }
> 
>   else {
>         fprintf(stderr, "Usage: %s <IP> <PORT>\n", argv[0]);
>         return 1;
>   }
> 
>   printf("Flooding  %s:%d ...\n", argv[1], atoi(argv[2]));
> 
>   while (1) {
> 
>         if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
>                 fprintf(stderr, "Error: socket()\n");
>                 return 1;
>         }
> 
>         if ((connect(s, (struct sockaddr *)&to_addr, sizeof to_addr))
>                 < 0) { perror("connect()");
>                 return 1;
>         }
> 
> 
>         printf(".");
>         fflush(stdout);
>         close(s);
> 
>   }
> 
>   return 0;
> 
> }

Re: How to test synflood prevention

[Peggy Kam]

[-- Attachment #1: Type: text/plain, Size: 2743 bytes --]

Hi,

I tried to use netcat for generating flood and listening on one machine,
    ie. ./flood.sh attacked_machine_ip attacked_port 1000 | 
/prod/netcat/bin nc -l -p 2222

And tried to do ./nc ip_address_of_the_above_machine 2222 -x -t

I have also set up the firewall as follows:
iptables -N SYN_FLOOD
iptables -i eth1 -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 4 -j RETURN
iptables -A SYN_FLOOD -j DROP
iptables -A SYN_FLOOD -i eth1 -p tcp ! --syn -m state --state NEW -j DROP

And I have been getting packets transfer between the 2 machines.

May I ask how I can debug the network using this tool netcat.  I am not 
familar with the raw socket stuff at all.  Any help on this is appreciated.

Thanks in advance,
Peggy


Daniel Chemko wrote:

>Try using raw sockets and cook your own headers, or just use tools that
>are designed for it, like netcat
>
>Peggy Kam wrote:
>  
>
>>Hi,
>>
>>I have set up some rules for preventing the synflood attack, ie:
>>
>>iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 4 -j ACCEPT
>>iptables -A SYN_FLOOD -j DROP
>>iptables -A SYN_FLOOD -i eth1 -p tcp ! --syn -m state --state NEW -j
>>DROP 
>>
>>However, the firewall does not seem to filter any packets.  I have
>>used 
>>the following tcpflood.c program to generate the flood, however, when
>>I used tcpdump and checked the message log with the firewall with and
>>without the above rules, they gave me the same results.  So, may I ask
>>how I can test the firewall for DoS attack?
>>
>>Thanks in advance,
>>Peggy
>>
>>
>>
>>#tcpflood.c
>>
>>#include <unistd.h>
>>#include <stdio.h>
>>#include <netdb.h>
>>#include <stdlib.h>
>>#include <string.h>
>>#include <unistd.h>
>>#include <sys/socket.h>
>>#include <netinet/in.h>
>>#include <arpa/inet.h>
>>#include <sys/types.h>
>>
>>
>>int main(int argc, char **argv) {
>>
>>  struct sockaddr_in to_addr;
>>  int s;
>>
>>  bzero(&to_addr, sizeof(to_addr));
>>  to_addr.sin_family=AF_INET;
>>
>>
>>  if ( argc == 3 ) {
>>        to_addr.sin_addr.s_addr=inet_addr(argv[1]);
>>        to_addr.sin_port=htons(atoi(argv[2]));
>>  }
>>
>>  else {
>>        fprintf(stderr, "Usage: %s <IP> <PORT>\n", argv[0]);
>>        return 1;
>>  }
>>
>>  printf("Flooding  %s:%d ...\n", argv[1], atoi(argv[2]));
>>
>>  while (1) {
>>
>>        if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
>>                fprintf(stderr, "Error: socket()\n");
>>                return 1;
>>        }
>>
>>        if ((connect(s, (struct sockaddr *)&to_addr, sizeof to_addr))
>>                < 0) { perror("connect()");
>>                return 1;
>>        }
>>
>>
>>        printf(".");
>>        fflush(stdout);
>>        close(s);
>>
>>  }
>>
>>  return 0;
>>
>>}
>>
>
>  
>

[-- Attachment #2: Type: text/html, Size: 3345 bytes --]

Re: How to test synflood prevention

[Peggy Kam]

[-- Attachment #1: Type: text/plain, Size: 2934 bytes --]

Can anyone help?

Thanks again,
Peggy

Peggy Kam wrote:

> Hi,
>
> I tried to use netcat for generating flood and listening on one machine,
>     ie. ./flood.sh attacked_machine_ip attacked_port 1000 | 
> /prod/netcat/bin nc -l -p 2222
>
> And tried to do ./nc ip_address_of_the_above_machine 2222 -x -t
>
> I have also set up the firewall as follows:
> iptables -N SYN_FLOOD
> iptables -i eth1 -A INPUT -p tcp --syn -j SYN_FLOOD
> iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 4 -j RETURN
> iptables -A SYN_FLOOD -j DROP
> iptables -A SYN_FLOOD -i eth1 -p tcp ! --syn -m state --state NEW -j DROP
>
> And I have been getting packets transfer between the 2 machines.
>
> May I ask how I can debug the network using this tool netcat.  I am 
> not familar with the raw socket stuff at all.  Any help on this is 
> appreciated.
>
> Thanks in advance,
> Peggy
>
>
> Daniel Chemko wrote:
>
>>Try using raw sockets and cook your own headers, or just use tools that
>>are designed for it, like netcat
>>
>>Peggy Kam wrote:
>>  
>>
>>>Hi,
>>>
>>>I have set up some rules for preventing the synflood attack, ie:
>>>
>>>iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 4 -j ACCEPT
>>>iptables -A SYN_FLOOD -j DROP
>>>iptables -A SYN_FLOOD -i eth1 -p tcp ! --syn -m state --state NEW -j
>>>DROP 
>>>
>>>However, the firewall does not seem to filter any packets.  I have
>>>used 
>>>the following tcpflood.c program to generate the flood, however, when
>>>I used tcpdump and checked the message log with the firewall with and
>>>without the above rules, they gave me the same results.  So, may I ask
>>>how I can test the firewall for DoS attack?
>>>
>>>Thanks in advance,
>>>Peggy
>>>
>>>
>>>
>>>#tcpflood.c
>>>
>>>#include <unistd.h>
>>>#include <stdio.h>
>>>#include <netdb.h>
>>>#include <stdlib.h>
>>>#include <string.h>
>>>#include <unistd.h>
>>>#include <sys/socket.h>
>>>#include <netinet/in.h>
>>>#include <arpa/inet.h>
>>>#include <sys/types.h>
>>>
>>>
>>>int main(int argc, char **argv) {
>>>
>>>  struct sockaddr_in to_addr;
>>>  int s;
>>>
>>>  bzero(&to_addr, sizeof(to_addr));
>>>  to_addr.sin_family=AF_INET;
>>>
>>>
>>>  if ( argc == 3 ) {
>>>        to_addr.sin_addr.s_addr=inet_addr(argv[1]);
>>>        to_addr.sin_port=htons(atoi(argv[2]));
>>>  }
>>>
>>>  else {
>>>        fprintf(stderr, "Usage: %s <IP> <PORT>\n", argv[0]);
>>>        return 1;
>>>  }
>>>
>>>  printf("Flooding  %s:%d ...\n", argv[1], atoi(argv[2]));
>>>
>>>  while (1) {
>>>
>>>        if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
>>>                fprintf(stderr, "Error: socket()\n");
>>>                return 1;
>>>        }
>>>
>>>        if ((connect(s, (struct sockaddr *)&to_addr, sizeof to_addr))
>>>                < 0) { perror("connect()");
>>>                return 1;
>>>        }
>>>
>>>
>>>        printf(".");
>>>        fflush(stdout);
>>>        close(s);
>>>
>>>  }
>>>
>>>  return 0;
>>>
>>>}
>>>
>>
>>  
>>

[-- Attachment #2: Type: text/html, Size: 3644 bytes --]