I am working on a lesson for my security class to show them how a SYN Flood works. I am using C# and I am having some problems with the RAW Socket working properly. Does anyone have any background in this area to help me out?
Thank You,
David Demland
A SYN flood attack exploits an inherent weakness in the TCP/IP protocol. Properly establishing a new TCP socket requires a three-step process. Here it is at a high-level:
The source of the connection (the originator, such as a web browser) initiates the connection by sending a SYN packet.
The destination (receiver of the SYN request) responds by sending back to the source a packet that has the SYN and ACK flags set (a “SYN/ACK packet”).
The source acknowledges receipt of the second packet (SYN/ACK) by sending to the destination a third packet with only the ACK flag set (an “ACK packet”).
Once this three-way handshake is complete, the TCP connection is considered “open” and data can be sent to and fro on that socket. Between steps 2 and 3 of the handshake, the destination must keep a record of the connection that is being established. At that point it is still incomplete and waiting for the final ACK packet from the source. Most systems have only a limited amount of memory for these tables. If too many connection attempts are left in this incomplete state, the destination (web server, for instance) will run out of space waiting for completions of what it has stored in an incomplete state. At that stage requests for new connections from legitimate entities cannot be serviced and will be lost. Most TCP/IP implementations by default impose a relatively long timeout period (several minutes) before incomplete connections are cleared out.
What was just described represents a SYN Flood. During the attack, a large number of SYN packets alone are sent to the destination. These requests will never have the corresponding ACK responses and the victim’s TCP connections table rapidly fills with incomplete connections. This will not allow legitimate traffic to be serviced; hence the denial is in effect. The technique usually implements a rate of attacking SYN packets that far exceeds normal traffic; hence the flood. So even when the target’s connection table is cleared out, another attacking SYN packet, as opposed to legitimate ones, will fill it.