From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peggy Kam Subject: Re: How to test synflood prevention Date: Wed, 18 Feb 2004 14:01:00 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <4033B66C.9070800@n-dsi.com> References: <7C9884991ADAE0479C14F10C858BCDF567917A@alderaan.smgtec.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="------------000003090903080000090104" Return-path: In-Reply-To: <7C9884991ADAE0479C14F10C858BCDF567917A@alderaan.smgtec.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Daniel Chemko , netfilter@lists.netfilter.org This is a multi-part message in MIME format. --------------000003090903080000090104 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Hi, I tried to use netcat for generating flood and listening on one machine, ie. ./flood.sh attacked_machine_ip attacked_port 1000 | /prod/netcat/bin nc -l -p 2222 And tried to do ./nc ip_address_of_the_above_machine 2222 -x -t I have also set up the firewall as follows: iptables -N SYN_FLOOD iptables -i eth1 -A INPUT -p tcp --syn -j SYN_FLOOD iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 4 -j RETURN iptables -A SYN_FLOOD -j DROP iptables -A SYN_FLOOD -i eth1 -p tcp ! --syn -m state --state NEW -j DROP And I have been getting packets transfer between the 2 machines. May I ask how I can debug the network using this tool netcat. I am not familar with the raw socket stuff at all. Any help on this is appreciated. Thanks in advance, Peggy Daniel Chemko wrote: >Try using raw sockets and cook your own headers, or just use tools that >are designed for it, like netcat > >Peggy Kam wrote: > > >>Hi, >> >>I have set up some rules for preventing the synflood attack, ie: >> >>iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 4 -j ACCEPT >>iptables -A SYN_FLOOD -j DROP >>iptables -A SYN_FLOOD -i eth1 -p tcp ! --syn -m state --state NEW -j >>DROP >> >>However, the firewall does not seem to filter any packets. I have >>used >>the following tcpflood.c program to generate the flood, however, when >>I used tcpdump and checked the message log with the firewall with and >>without the above rules, they gave me the same results. So, may I ask >>how I can test the firewall for DoS attack? >> >>Thanks in advance, >>Peggy >> >> >> >>#tcpflood.c >> >>#include >>#include >>#include >>#include >>#include >>#include >>#include >>#include >>#include >>#include >> >> >>int main(int argc, char **argv) { >> >> struct sockaddr_in to_addr; >> int s; >> >> bzero(&to_addr, sizeof(to_addr)); >> to_addr.sin_family=AF_INET; >> >> >> if ( argc == 3 ) { >> to_addr.sin_addr.s_addr=inet_addr(argv[1]); >> to_addr.sin_port=htons(atoi(argv[2])); >> } >> >> else { >> fprintf(stderr, "Usage: %s \n", argv[0]); >> return 1; >> } >> >> printf("Flooding %s:%d ...\n", argv[1], atoi(argv[2])); >> >> while (1) { >> >> if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) { >> fprintf(stderr, "Error: socket()\n"); >> return 1; >> } >> >> if ((connect(s, (struct sockaddr *)&to_addr, sizeof to_addr)) >> < 0) { perror("connect()"); >> return 1; >> } >> >> >> printf("."); >> fflush(stdout); >> close(s); >> >> } >> >> return 0; >> >>} >> > > > --------------000003090903080000090104 Content-Type: text/html; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Hi,

I tried to use netcat for generating flood and listening on one machine,
=A0=A0=A0 ie. ./flood.sh attacked_machine_ip attacked_port 1000 | /prod/netcat/bin nc -l -p 2222

And tried to do ./nc ip_address_of_the_above_machine 2222 -x -t

I have also set up the firewall as follows:
iptables -N SYN_FLOOD
iptables -i eth1 -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 4 -j RETURN
iptables -A SYN_FLOOD -j DROP
iptables -A SYN_FLOOD -i eth1 -p tcp ! --syn -m state --state NEW -j DROP

And I have been getting packets transfer between the 2 machines.

May I ask how I can debug the network using this tool netcat.=A0 I am not familar with the raw socket stuff at all.=A0 Any help on this is appreciated.

Thanks in advance,
Peggy


Daniel Chemko wrote:
Try using raw sockets and cook your own headers, or just=
 use tools that
are designed for it, like netcat

Peggy Kam wrote:
  
Hi,

I have set up some rules for preventing the synflood attack, ie:

iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -A SYN_FLOOD -j DROP
iptables -A SYN_FLOOD -i eth1 -p tcp ! --syn -m state --state NEW -j
DROP=20

However, the firewall does not seem to filter any packets.  I have
used=20
the following tcpflood.c program to generate the flood, however, when
I used tcpdump and checked the message log with the firewall with and
without the above rules, they gave me the same results.  So, may I ask
how I can test the firewall for DoS attack?

Thanks in advance,
Peggy



#tcpflood.c

#include <unistd.h>
#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/types.h>


int main(int argc, char **argv) {

  struct sockaddr_in to_addr;
  int s;

  bzero(&to_addr, sizeof(to_addr));
  to_addr.sin_family=3DAF_INET;


  if ( argc =3D=3D 3 ) {
        to_addr.sin_addr.s_addr=3Dinet_addr(argv[1]);
        to_addr.sin_port=3Dhtons(atoi(argv[2]));
  }

  else {
        fprintf(stderr, "Usage: %s <IP> <PORT>\n", argv[0]);
        return 1;
  }

  printf("Flooding  %s:%d ...\n", argv[1], atoi(argv[2]));

  while (1) {

        if ((s =3D socket(PF_INET, SOCK_STREAM, 0)) < 0) {
                fprintf(stderr, "Error: socket()\n");
                return 1;
        }

        if ((connect(s, (struct sockaddr *)&to_addr, sizeof to_addr))
                < 0) { perror("connect()");
                return 1;
        }


        printf(".");
        fflush(stdout);
        close(s);

  }

  return 0;

}
--------------000003090903080000090104--