Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Running Head: Prevention of SYN Flood Attack Using IP Tables 1

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 57

Running head: Prevention of SYN flood attack using IP tables

Prevention of SYN flood attack using IP tables

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Table of Contents
List of Figures......................................................................................................................5
List of Tables.......................................................................................................................6
Introduction..........................................................................................................................7
Action Research Methodology............................................................................................9
Introduction......................................................................................................................9
Origins of Action Research..............................................................................................9
Phases of Action Research.............................................................................................10
Types of Action Research..............................................................................................10
Principle of Action Research.........................................................................................11
Application of Action Research.....................................................................................11
Literature Review..............................................................................................................13
Denial of Service attacks...............................................................................................13
Characteristics of Denial of Service Attack...................................................................13
Distributed Denial of Service (DDoS) Attacks..............................................................14
Different Kinds of DoS Attacks.....................................................................................15
SYN Flood Attack..........................................................................................................15
SYN Flood Attack Description......................................................................................16
Mitigation/Defense Measures against Attacks...............................................................17
Defense against SYN flood attacks...............................................................................17

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Proposal.............................................................................................................................20
First iteration: Gaining insight and knowledge about SYN flood and TCP connections. .24
Plan phase......................................................................................................................24
Action phase..................................................................................................................25
Observation phase..........................................................................................................27
Reflection phase.................................................................................................................30
Second Iteration: Learning Python language and Scapy tool............................................32
Plan phase......................................................................................................................32
Action phase..................................................................................................................33
Observation phase..........................................................................................................35
Reflection phase.................................................................................................................36
Third Iteration Performing SYN flood attack using Python and Scapy tool in a
virtualized environment.................................................................................................................38
Plan phase......................................................................................................................38
Action phase..................................................................................................................39
Observation phase..........................................................................................................41
Reflection phase.................................................................................................................49
Fourth Iteration SYN flood attack using IP table features in Linux based machines......50
Plan phase......................................................................................................................50
Action phase..................................................................................................................51

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Observation phase..........................................................................................................53
Reflection phase.............................................................................................................54
References..........................................................................................................................56

List of Figures

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Figure 1: Iterations.............................................................................................................21
Figure 2: VMware software installation............................................................................41
Figure 3: Attacker's Virtual machine.................................................................................42
Figure 4: Victim's virtual machine.....................................................................................42
Figure 5: Checking Python Version...................................................................................43
Figure 6: Downloading Scapy tool on Ubuntu machine...................................................43
Figure 7: Scapy Installation - Unzipping zip file...............................................................44
Figure 8: Scapy installation...............................................................................................44
Figure 9: Scapy installation complete................................................................................45
Figure 10: Single Packet crafting for SYN attack.............................................................45
Figure 11: Sending single packet.......................................................................................46
Figure 12: Output of single SYN flood packet..................................................................46
Figure 13: Writing Python script for Attacking.................................................................47
Figure 14: Running Python script......................................................................................47
Figure 15: Continuous loop in python script.....................................................................48
Figure 16: SYN flood attack as captured in Wireshark.....................................................48
Figure 17: Writing shell script...........................................................................................53
Figure 18: Running shell script..........................................................................................54
Figure 19: Prevention of SYN flood attack.......................................................................54

List of Tables
Table 1: Details of Virtual machines..................................................................................36

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Introduction
This project will focus on the prevention of SYN flood attack using IP tables method in
Linux based machines. SYN flooding is a type of Denial of Service (DoS) attack, whereby an

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

attacker sends series of SYN requests to targets system in order to consume enough computing
resources of servers to make the services unavailable or unresponsive to genuine traffic. SYN
flood attack is generally carried out with the help of Botnets.
A SYN flooding attack is based on the Transport Control Protocols (TCP) three-way
handshake process. During three-way handshake process, client initiates a connection by
sending a TCP SYN flag (S flag) on desired port to the server. The server acknowledges the
client request with TCP SYN-ACK flag (SA flag). The server replies consists of acknowledge as
well SYN request. Then after client acknowledge with ACK flag (A) and connection is
established for packet transmission or client can send RST reply to reset connection.
During SYN flood attack, an attacker sends hordes of SYN request but does not
acknowledge it with SA flags during the second step of three-way handshake process. It leads to
half open TCP connection. On the server side, this half open connection is kept open in
SYN_RECV state, as the server assumes that ACK packet may have been lost during
transmission due to network error. Server remains in SYN_RECV state for some defined time
and then after closes the connection. If there is only one SYN request, servers resources is not
consumed much as the buffer does not gets filled up, but what if millions of SYN request is
generated in very short time. Servers buffer gets filled up and is unable to serve the request
made by genuine client as no memory resources are left. This condition is called as SYN flood
attack. In SYN flood attack, attacker uses multiple IP addresses across the world to generate
millions of fake SYN request. Malicious clients using these IP addresses are called as Botnets
also.
In this project, I will be simulating real time SYN flood attack using Python
programming language and Scapy tool in a virtualized environment. Scapy is a very powerful
packet manipulation tool based on Python language. It allows altering of various parameters of

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

TCP packet. Once packet has been manipulated, it will be sent repeatedly on target server via a
Python script for carrying out attack. For prevention of attack, I will create a shell script to
automatically update the field of IP tables based on certain parameters. IP tables serves as kernel
level Firewall. It allows users to configure the firewall of server. So shell script will autoconfigure the IP tables based on number of SYN request from a single IP address. After the
threshold number has been reached, server will reject the future suspicious TCP connections
from that IP addresses with TCP RST flags for certain duration of time. Through this method,
server can avoid potential SYN flood attacks.

Action Research Methodology


Introduction
Action research is a process of reflecting on the ongoing problem solving or a type of
exploration introduced to a problem in order to answer it. It is headed by a team of individuals
working hand in hand as a community. All of this is done to unravel problems and expand how
issues are address (Sandra, 1997). Action research can be categorized as action research that is

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

participatory or action research that is practical. Action research strategy is to find the guidelines
for the best practice or solving a particular problem (Winter, 2010).
Origins of Action Research
Action research was first initiated by Kurt Lewis, a German experimental and social
psychologist who was troubled by the problems faced socially. Kurt Lewis was one of the
forefathers of the school of Gestalt. This is where he focused on group processes participation
when crisis is being addressed, variation and conflicts in organization were his main concerns
(Sandra, 1997).
Kurt first introduced the term action research in 1946 where he characterized the term as
a comparative research on the effects and condition of the forms of social studies. It is also the
cause of social action taking place in a spiral process composed of action circle, preparation and
finding of facts for the purposes of results (Ortrun, 2013).
Another major personality who contributed to action research was Eric Trist. He worked
at the Tailstock Institute of Human Relations in UK as a social psychiatrist. The institute was
used for social research concerning German prisoners civic repatriation. (Susman, 2009). Trist
and Lewis contributed that research is a systematic change in organizations, and they were avid
proponents that decisions implemented are bets when they are intuited by those who help in
making them. (Susman, 2009).
Phases of Action Research
Action research follows a five-phase procedure to find a solution and improve the
practices of the organization. (Susman, 2009). Problem identification is the first stage that
involve what is the reason for action research process to be carried out by explicit statements of
the problem in the form of a question. The next stage is planning for action where a new strategy
is implemented to help in focusing and appropriate timeline when addressing the problem.Data

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

10

collection should follow the planning phase by collecting the necessary data that can solve the
problem for the research process. Analyzes of the collected data should be done next on what can
be learned from the data and meaning of the data drawn. The plan for future action should be the
last phase that helps in the recommendation and the change that that should be adopted after
going through action research process (Trist, 2012).
Types of Action Research
The first type of action research is traditional action research. As Lewis worked in
organization, he concluded that action research comprises group dynamics principles and
practices, the T-Group, clinical model and the field theory (Tesch, 2010). This type of research
was initiated by the growing demand to manage labor relation in organizations that led to the
application of action research in organization democracy and quality of working life. The method
is associated with conserving the status quo about organizational power structure.
Contextual action research is another type of action research that was was derived from
Trists work and entails reconstruction of the structural relations among actors in a social
environment and involves all the stakeholders and stresses on the participants acts as coresearchers and project designers (Trist, 2012). Action research that is radical began Antonio
Gramscis dialectical materialism and also orientations of praxis. It has had a firm emphasis on
ways to reduce and eradicate emancipation and imbalance of power. Action research education
centered on John Deweys foundations, who has had a great impact on American philosophy of
education also believed that in order to solve community problems, educators should also play a
part (Weisbord, 2015). The type of research has led University-based researchers to work with
the community projects to enhance more understanding of such professionals (Winter, 2010).
Principle of Action Research

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

11

Reflective appraisal. Reflective appraisal is one of the types of action research that
argues the truth in a social setting is about the teller and not transcripts or official documents that
make implicit claims to be authoritative. This principle aids individuals to mirror on the
procedures and conduct biases that are explicit, concerns, assumptions and also interceptions
used to make judgments (Weisbord, 2015).
Dialectal critique, collaborative resources and Risk. Dialectical Appraisal is an
additional principle arguing how shared language is a cause of social reality violation (Tesch,
2010). Combined principle of resource, on the other hand rather argues that co-researchers are
those who contribute in an action research. Therefore, each individuals idea is equally
significant as a potential resource for problem-solving. The risk is another principle that has
helped in analyzing the potential fears that may threaten already established ways of doing
things. Effective action research involves recognition of risk and stating that whatever the
outcome, learning must take place to encourage more participation (Dick, 2013).
Application of Action Research
Action research approach is used in situations that are real due to its primary goal of
solving real problems and not in experimental studies. Action research is also used in preliminary
research where the situation is too ambiguous to find a research question. Action research is
mostly used when there is a need for flexibility, quickly changes that must take place
immediately and where people must be involved in the research process.
The reason that action research method is applied in IT related projects is a good example
of the situations that require quick changes (Lewin, 1946). IT projects automate the systems of
the organization changing the way the organization functions entirely. Since the systems that are
introduced are a bit technical, action research helps the employees to learn a lot when the

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

12

decisional are made, and they can find it easier or work with them when they are completed
(Dick, Stringer & Huxham, 2009).
Action research has found application in information systems where it can be used to
solve information systems problems such as ascertaining information requirements of an
organization, formulation of information systems strategy, and a host of other applications. This
has led to the persistent call on information systems researcher to take up action research as an
investigative tool in the field (Keen, 1991).
In practice, action research was used by Lau and Hayward (1997) to examine how
internet-based communications can create a virtual collaborative workgroup in a social setting
consisting of health professionals and instructors. The researchers were involved in the role of
facilitators in the project. At the end, results showed that participants who used work gprup
system interactively had higher tendency of establishing collaboratrive projects.

Literature Review
Denial of Service attacks
Denial of service (DoS) attack is a way of trying to make a network resource or a
machine not available to the users intended by flooding with excessive traffic (Hussain,
Heidemann, & Papadopoulos, 2003). This is likely to abruptly and temporarily interrupt or cause
suspension of services of the hosts connected to the website. The Denial of Service attack is
extensively becoming a great hindrance in the performance of datacenters and web servers
(Moore, Shannon, Brown, Voelker, & Savage, 2006). This has brought about huge losses of
resources to organizations and entities especially in financial. Examples of such resources badly
affected by DoS attacks are network bandwidth, operating system (OS) data structures, and

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

13

computing power (Hussain et al., 2003). This attack has widely been noticed due to the spread of
use of internet services by people around the world. Most of the times, attack is directed at
websites and other web-related services masterminded by people known as hackers. Hackers
flood traffic across the network channels thereby blocking legitimate network traffic (Lau,
Rubin, Smith, & Trajkovi, 2000). The excessive increase in traffic in the network leads to
service failure.
Characteristics of Denial of Service Attack
a. Network performance becomes exceptionally slow
b. Website may become unavailable
c. E-mail bomb, characterized by an upsurge in spam emails received.
d. Website becomes inaccessible
e. Severance of a wired or wireless internet connection
f. Denied access to a service for a long period of time (Gangte, 2014)
For example, if a hacker launches a cyber attack against a website, for instance a bank
website, then possibly all the online bank transactions will be temporarily or permanently shut
down. Consequently, all the bank customers-corporate bodies and individuals, are negatively
affected because of lack of access to their online banking accounts throughout the duration of the
attack, thus giving rise to big losses (in terms of revenue and other resources) to the affected
parties (Schuba et al., 1997). Also, the affected bank will suffer from reputation and trust issues
from customers due to their failure to protect their information technologies infrastructures.
Likewise, if a hacker or group of hackers were to attack Gmail or Yahoo, then millions of people
will not be able to log into their email accounts. The hackers in carrying out their attack activities

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

14

use a DoS tool or script (Gangte, 2014). This act can possibly be minimized by blocking the IP
address of the hacker to render it ineffective. The hacker, however, can make use of Distributed
Denial of service (DDoS) method to overcome this. (Gu & Liu, 2007).
Distributed Denial of Service (DDoS) Attacks
This is a form of coordinated cyber attack where the attack is launched by multiple
sources using the DoS tool (Wood & Stankovic, 2002). The perpetrators involved in the crime of
DoS attacks often target reputable websites or internet services, such as banks, at a particular
time. DDoS was used by some unidentified hackers to attack and bring down the websites of
some online payment service providers-MasterCard and PayPal, and some other major websites
some years back (Lau et al., 2000; Sisalem, Kuthan, & Ehlert, 2006). Hackers either employ a
host of volunteers or attack daemon agents or zombies (in case there are no volunteers) to
infect the victims or targets. These networks of attack daemons or zombies are also known as
botnets (Shevtekar, Anantharam, & Ansari, 2005). In DDoS, the real attacker propagates an
executive message to the controller, which then relays the command to the botnets. On receiving
the attack command, these zombies start to attack the victim while the owners may be unaware
of the attack (Lau et al., 2000).
Different Kinds of DoS Attacks
Volume based attack: The aim of volume-based attack at overloading and congesting
victims link bandwidth with service requests that it cannot process considering its limited
resources (Gu & Liu, 2007). Examples are ICMP floods, UDP floods and other related packets of
floods (Gangte, 2014).
Protocol attacks: This is a type of attack that exhausts computing resources of a victim
site by sending a multitude of connection requests to it. It is measured in packets per second (Lau

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

15

et al., 2000). Protocol attacks include SYN floods, Ping of Death, Smurf and fragmented packet
attacks (Gangte, 2014).
Application layer attacks: This consists of connection requests that appear legitimate
and unharmful but which purpose is to bring down the web server. The magnitude of the attack is
measured in requests per second (Hussain, et al., 2003). They include the Apache-aimed DDoS,
Windows vulnerabilities, Zero-day DDoS attack, Slow Loris and open BSD vulnerabilities.
Attackers make use of readymade attack tools to perpetrate DoS attacks, and these include
XOIC, LOIC, HOIC, Hping3, HULK, R-U-Dead Yet, DDOSIM-Layer7, DDOS stimulators, and
so on (Gangte, 2014).
SYN Flood Attack
SYN Flood attack, also called Transmission Control Protocol (TCP) SYN attack, operates
by exploiting the traditional TCP three-way handshake, which requires execution of a threepacket exchange as a requisite to authorize a client to use the service (Lau et al., 2000; Raymond
& Midkiff, 2008). With SYN Flood, the attacker forwards excessive TCP connection requests to
the web server, which becomes incapable to handle other new connections, thus overloading the
network.
SYN Flood Attack Description
In the SYN Flood attack, the three-packet exchange between a client and the web server
occurs in the following steps (Gu & Liu, 2007):
1. Client first sends a connection request to the server as SYN (synchronize/start) packet
2. The server sends back a SYN-ACK (synchronize-acknowledge) packet to the client to
acknowledge the initial message
3.

Client sends the final ACK (acknowledge) packet and the connection is formed and
confirmed.

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

16

Usually in a SYN Flood attack, the hacker uses a fake IP address to send multitude of
SYNs to every port on the victims server (Schuba et al., 1997). The server, without knowledge
of the attack, receives hundreds or even thousands of seemingly legitimate and innocent
connection requests. The server responds to every request with a SYN-ACK message coming
from the open ports. The attacker keeps the server waiting for response as it decides not to send
the ACK message, and if the IP connection address is spoofed, it will not receive the SYN-ACK
message initially. Whichever way, the target server will wait endlessly for a non-existent SYNACK acknowledgment packet (Gu & Liu, 2007).
In the course of waiting for response from the client, it is impossible for the server to
block connections by sending an RST message, so the connection remains open. Just before the
connection expires, zombies then send another SYN packet. The result of this is an increase in
the number of half-open connections. Finally, a multitude of half-open connections fills the space
and the attacked server will be unable to welcome any new requests, even from legitimate
clients; the server may eventually fail or crash (Gupta, Krishnamurthy, & Faloutsos, 2002).
Mitigation/Defense Measures against Attacks
Micro blocks: rather than using a complete connection object, server administrators can
simply allocate very tiny space (micro-record), as low as 16 bytes, in the computer server for
individual SYN connection request (Dittrich, 1999).
SYN cookies: the sequence number (seqno) sent alongside the SYN/ACK packet by the
server is constructed using cryptographic hashing from the client IP address, port number, and
some other distinct identifiers (Raymond & Midkiff, 2008). The ACK packet sent by the client to
the server also contains this cryptic hash. Once the server authenticates the ACK, it then
proceeds to allocate memory for the communication (Lau et al., 2000).

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

17

RST cookies: when a client makes the first connection request, the server deliberately
replies with an invalid SYN-ACK. Normally, the client constructs an RST message which alerts
the server that there is a problem (Moore, Shannon, Brown, Voelker, & Savage, 2006). If this
message is received, the server authenticates the requests and knows that it is valid, so it
establishes communications with it (Raymond & Midkiff, 2008).
Stack tweaking: managers can slightly modify TCP stacks to reduce the impacts of SYN
floods on the server. To achieve this, the time-out for connections can be reduced until a stack
clears the memory assigned to a request or discriminately denying some incoming service
requests (Moore et al., 2006).
Defense against SYN flood attacks
Strengthening the TCP/IP Stack as opposed to SYN Floods: DoS attacks that are
carried out using SYN flooding can be very challenging and difficult to resolve for servers that
have not been configured with the right tools for defense. Often, the first line of defense against
DoS attacks are firewalls (Gu & Liu, 2007); nonetheless, the Linux kernel can also be made
resistant against such an attack. This kind of hardening is more effective against SYN floods
which try to excessively load a given service with service requests than one that attempts to
saturate the server, in which case a firewall becomes an important security tool (Lau et al., 2000).
Setting up Firewall Rules to Guard against SYN flood: Firewalls can be installed
based on simple rules which allow or deny IP addresses, payloads, protocols, connection states or
ports (Lau et al., 2000; Jung, Krishnamurthy, & Rabinovich, 2002). In the case of a simple attack
coming from a small number of unusual IP addresses for instance, one could simply define the

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

18

information in access control lists and filtering rules to drop all incoming connection requests
from hostile clients (Schuba et al., 1997).
Protection with Simple iptables protection method: The default firewall on Linux
computers is iptables. So it is very important to strengthen firewall, deny all incoming
connection requests except the traffic actually needed on the server (Gangte, 2014). DoS attacks
that are launched without spoofing the IP address are very easy to prevent. These rules typically
drop the rate of SYN connection requests from one IP address per minute to 20 IP addresses per
minute (Gangte, 2014). It is advisable not to apply this rule every time as it can end up denying
service to legitimate traffic from networks behind NAT. There are some SYN flood attacks that
are easily filtered as they show the same bogus parameters in the TCP header (Gu & Liu, 2007).
One of such unusual parameters is the TCP MSS (Maximum Segment Size), which is not preset
by default in most attacking tools.
Protection with switches: Several switches from manufacturers come with ALC and raterestriction capabilities. Also, there are many switches that offer automatic and/or system wide
rate restriction, TCP splicing, deep-packet inspection, traffic shaping and bogus IP filtering to
quickly identify attacks and rectify DoS attacks. This is done via the processes-automatic rate
filters and WAN link failover and load balancing (Gangte, 2014).
Protection with readymade commercial tools and services: Companies can deploy
commercial tools and services such as Prolexic, Incapsula, Arbor Networks, Fortinet and
Cloudflare (Gangte, 2014). These tools are costly but they are really worth it especially if the
organization is operating a mission critical service.
Protection Using IDSs and IPSs: Intrusion detection system (IDSs) and Intrusion
Prevention Systems (IPSs) are another set of important security tools which are commercially

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

19

available. For small and medium scale enterprises which cannot afford the cost of these
technologies, they can download Snort-a free and open source IDS/IPS tool online. The tool can
simply be configured to deny services to all forms of DoS attacks (Gangte, 2014).

Proposal
In this project, I will be simulating real time SYN flood attack using Python
programming language and Scapy tool in a virtualized environment. For prevention of attack, I
will create a shell script to automatically update the field of IP tables based on certain
parameters. IP tables serves as kernel level Firewall. It allows users to configure the firewall of
server. So shell script will auto-configure the IP tables based on number of SYN request from a
single IP address. Through this method, server can avoid potential SYN flood attacks. Hence,
whole project will be completed in four iteration wherein, Action Research methodology will be

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

20

used for each iteration. Each iteration will be completed four phases: Plan, Action, Observation
and Reflection. Brief description about each iteration is given below:

Iteration 1
Gaining insight and
knowledge about SYN
flood and TCP
connections

Plan

Act

Observe

Reflect

Iteration 2 Learning
Python language and
Scapy tool

Plan

Act

Observe

Reflect

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Iteration 3
Performing SYN flood
attack using Python
and Scapy tool in a
virtualized
environment.

Plan

Act

Observe

Iteration 4
SYN flood attack
using IP table features
in Linux based
machines

Plan

Act

Observe

21

Reflect

Reflect

Figure 1: Iterations

First iteration: Gaining insight and knowledge about SYN flood and TCP connections
During the first iteration of project, I will study about SYN flood attacks and TCP
connection. As SYN flood attack is based on TCP protocol, it is very important to understand the
relation between these two. For gaining knowledge about SYN flood and TCP connections, I will
be taking help of internet. There are professional blogs on the website of reputed companies.
Those will be the best place to start with. Apart from blogs, peer reviewed papers are also great
source of knowledge. So I will try to gather insight about SYN flood from wherever genuine
source I can get.
Second Iteration: Learning Python language and Scapy tool

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

22

In the project, SYN flood attack will be carried out using Python language and Scapy tool
and hence it is very important that required knowledge of these two software is obtained before
proceeding ahead with actual objective of project. Hence, in second iteration, Python language
and Scapy tool will be learnt. Only the relevant module of the language will be learnt. Online
tutorials are easily available to learn Python language and Scapy tool. Learning videos are also
available on www.youtube.com.
Third Iteration Performing SYN flood attack using Python and Scapy tool in a
virtualized environment.
In the third iteration of project, actual SYN flood attack will be carried out. Linux virtual
machines will be created wherein one virtual machine will play the role of attacker and another
machine will play the role of victim. TCP packet will be manipulated using Scapy and will be
repeated sent using python script. Scapy allows altering of various parameters of TCP packet.
Once packet has been manipulated, it will be sent repeatedly on target server via a Python script
for carrying out attack.
Fourth Iteration SYN flood attack using IP table features in Linux based machines
In the last iteration of project, for prevention of attack, I will create a shell script to
automatically update the field of IP tables based on certain parameters. IP tables serves as kernel
level Firewall. It allows users to configure the firewall of server. So shell script will autoconfigure the IP tables based on number of SYN request from a single IP address. After the
threshold number has been reached, server will reject the future suspicious TCP connections
from that IP addresses with TCP RST flags for certain duration of time. Through this method,
server can avoid potential SYN flood attacks. Project will be said completed once script
successfully prevents SYN flood attack.

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

23

First iteration: Gaining insight and knowledge about SYN flood and TCP connections
During the first iteration of project, I will study about SYN flood attacks and TCP
connection. As SYN flood attack is based on TCP protocol, it is very important to understand the
relation between these two. For gaining knowledge about SYN flood and TCP connections, I will
be taking help of internet. There are professional blogs on the website of reputed companies.
Those will be the best place to start with. Apart from blogs, peer reviewed papers are also great
source of knowledge. So I will try to gather insight about SYN flood from wherever genuine
source I can get.
Plan phase
As in the first iteration, it is planned to learn about two concepts i.e. SYN Flood and TCP
Connections, so planning phase can be divided into following two major parts:

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

24

a. Learning SYN Flood


In order to learn and understand SYN Flood, materials will be sourced from the
internet. There are many educational videos available on www.youtube.com for learning
SYN Flood attack. SYN flood is type of cyber-attack, so there are various websites
dedicated to cyber-attack. White hat attackers and grey hat attackers maintain their website
for providing information about SYN flood attacks. So reading material will be readily
available on these websites. Basically SYN flood is type of Distributed-Denial-of-Service
(DDoS)so study about various DDOS attack along with SYN Flood will be made. SYN
Flood exploits the TCP Handshake protocol for attack; hence in the second part of iteration
TCP connection will be studied.
b. Learning TCP Connections
It is very important that TCP connection and Handshake procedure is clearly
understood because it is the basis of SYN Flood attack. So for understanding TCP
Connection, various blogs on professional website will be read. Cisco is the leader in the
networking components, so blogs on its website will be read. There are other professional
websites too, where I can gain good reading material. For understanding TCP connection,
handshake protocol will be analyzed in network monitoring tool. Wireshark is such tool
which gives information about traffic passing through network. I will install Wireshark in
my laptop to study about handshake protocol.
Apart from internet resources, many cyber-security organizations conduct seminar,
workshop or Webinar for cyber-threat related topics. So it will be tried to find out any available
seminar, workshop or webinar nearby of my place of residence. Workshop imparts practical
training in very less time so they are very effective for imparting lots of knowledge in less time.
Action phase

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

25

In the action phase, steps were taken based on the points specified in the plan.. For first
part of plan, I surfed internet daily for around 2-3 hours. During surfing, I studied a lot about
SYN flood and Distributed denial of service attack. Some websites which I visited for studying
are:
a.
b.
c.
d.
e.
f.
g.

https://en.wikipedia.org/wiki/Denial-of-service_attack
https://www.incapsula.com/ddos/ddos-attacks/denial-of-service.html
https://www.us-cert.gov/ncas/tips/ST04-015
https://www.cert.org/information-for/denial_of_service.cfm?
https://en.wikipedia.org/wiki/SYN_flood
https://www.cert.org/historical/advisories/CA-1996-21.cfm?
https://tools.ietf.org/html/rfc4987
I watched many youtube videos also for understanding SYN flood and DDoS attack in

detail. I typed keywords such as distributed denial of service attack, SYN Flood and denial
of service attack in the search bar of www.youtube.com. The videos which I found most
relevant are:
a. https://www.youtube.com/watch?v=vicKkwRgsdE This video explained about
Distributed Denial of service attack (DDoS).
b. https://www.youtube.com/watch?v=0VutW15kEZM - This video explained about
Distributed Denial of service attack.
c. https://www.youtube.com/watch?v=sUrM7_G_y7A This video explained about SYN
Flood attack.
d. https://www.youtube.com/watch?v=sO6JoY_zAf8 This video explained about SYN
Flood attack.
e. https://www.youtube.com/watch?v=AqY3UxXyQTY This video explained about
prevention of SYN flood attack.
For second part of plan, I again searched a lot over internet for TCP Connections. Some
relevant website which I read for understanding TCP connection are:
a. http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/137695.html

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

26

b. https://en.wikipedia.org/wiki/Transmission_Control_Protocol
c. http://www.tcpipguide.com/free/index.htm
I also installed Wireshark network analyzer in my laptop for understanding the TCP
Connection. Apart from internet research, I also searched for available seminar, workshop or
webinar in my nearby vicinity, but could not find any.
Observation phase
The transmission Control Protocol (TCP) is undoubtedly the most central protocol of the
Internet Protocol (IP) suite (Kozierok, 2005). It functions to establish complete connection
between two endpoints for exchange of streams of bytes. TCP came from the network
implementation where it complemented IP (Transmission control protocol, 2016). For this reason
the complete suite is known as TCP/IP. The Transmission Control Protocol offers highly reliable,
rearranged, error-controlled data stream between applications operating on host servers
interacting over an IP network. Applications that require reliable data stream or guaranteed
delivery service depend on TCP. Many popular internet applications such as electronic mail, file
transfer protocol, remote administration, telnet and World Wide Web depend use it (Transmission
control protocol, 2016). For applications which do not demand reliable delivery of a stream of
data, another transport layer protocol- the User Datagram Protocol (UDP) could be used. UDP,
unlike TCP, is a connectionless datagram service which prioritizes reduced latency over
reliability (Transmission control protocol, 2016).
TCP establishes synchronized communication at a middle level between two endpoints; it
is presents an end-to-end link between an application and the Internet Protocol at the Transport
Layer of the internetworking paradigm (Cisco, 2005). Application programs are unconcerned
about the processes involved in the transmission of streams of data to another endpoint, it is the
role of TCP to manage every handshaking and connection details. For example, byte streams are

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

27

sent in units called segments; an application does not need to know these requirements or
mechanisms, the Transport Control Protocol provides a virtual network connection to the
receiving application (Transmission control protocol, 2013).
The mechanism involved in the establishment of a normal TCP connection between two
hosts, host A and host B, involves three distinct steps:
a. Host A (client) first forwards a connection request to host B as SYN (synchronize)
message using its own sequence number m.
b. Host B sends back a synchronize-acknowledge (SYN-ACK) packet using its own
sequence number n and acknowledgement number m + 1, which is received by host A.
c. Host A then responds with an ACK (acknowledgement) message bearing an
acknowledgement number n + 1, which host B receives but does not have to return a
reply to.
This type of configuration involves a three-packet exchange between two endpoints. The
function of the SYN message is to initiate connection request from one host server to the other,
while the ACK message acts to acknowledge receipt of the message sent by the client
(Transmission control protocol, 2013).
A critical feature of the three-way handshake is that as a means of exchanging the starting
sequence number that both endpoints plan to use, the client first transmits a segment using its
own sequence number x, and the server replies by forwarding a segment with its own sequence
number y as well as the acknowledgement number x + 1. Lastly, the client then replies bearing
the acknowledgement y + 1 (Transmission control protocol, 2013).The client and server do not
use the default sequence number like 0 for setting up connection so as to prevent two
reincarnations of the same connection making use of the same sequence number almost
immediately. This implies that a segment from a previous incarnation of a connection request

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

28

could possibly disturb subsequent incarnation of the connection at a later time (Transmission
control protocol, 2013).
A distributed denial of service attack is an organized attack whereby several
compromised systems launch an attack on a target victim so as to disrupt or shutdown service to
intended users of the attacked system (Google ideas, 2013; Denial-of-service, 2016). In DDOS,
multiple sources of assailants flood the target system with a barrage of messages with the intent
of shutting it down, thus causing denial of service to the intended users (US-CERT, 2013).b
Characteristically, a DDoS attack is initiated when a malicious hacker exploits a security
loophole in the system and then transforms it into the DDOS attack master, also called botmaster.
The botmaster detects and infects other identified vulnerable machines, and transforms them to
zombies (Google ideas, 2013; Rouse, 2013). By this act, it gains control over the other attack
daemons, and once it sends the attack command to them, the controlled machines begin to attack
the target computer (Sourcefire, 2013).
DDoS attacks can be divided into two types; application layer and network-centric
attacks (Denial of service attack, n. d.). An application layer attack floods a service or database
with overwhelming traffic, while a network-centric attack excessively load a network with
connection requests with the aim of exhausting its bandwidth (Denial of service attack, n. d.).
The barrage of messages sent to the targeted system interferes with service delivery thereby
causing a denial of service (Barker, 2013). In a DDoS attack, it is not only the target that is the
victim; actually, there are several other victims such as the final targeted system and the host of
subverted systems in the control of the hostile hacker. Even though the owners of the controlled
machines may not know that their systems are now in the control of an assailant, this does not
seclude them from experiencing service breakdown or malfunction.

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

29

A SYN flood is initiated when an attacker sends excessive service requests to a host so
that it becomes unable to process innocent and legitimate connection requests on queue
(Runscape weekly, 2013; SYN flood, 2013; US-CERT, 2013; Juniper Networks Inc, 2015). In a
SYN flood, the host machine is flooded with SYN segments which start half-complete
connection requests (SYN flood, 2013).Both hosts setup a TCP connection by means of a threepacket exchange of data called three-way handshake (Juniper Networks Inc, 2015).
A client first sends a SYN segment to another computer, which then replies with a SYNACK message, and the client also sends back an ACK segment to acknowledge receipt of the
message. In a SYN flood, the server is overloaded with SYN segments emanating from fake IP
addresses which are unreal and inaccessible. In the last step of the handshake, the server replies
with SYN-ACK messages to these IP addresses and waits endlessly for the corresponding ACK
segments. However, since the connection requests are transmitted from nonexistent or
inaccessible IP source addresses, no responses will be forthcoming so the service requests
timeout (SYN flood, 2013; Juniper Networks Inc, 2015).
Reflection phase
First iteration has successfully paved the foundation for the whole project. First iteration
went as per plan. I was able to achieve the intended outcome of first iteration. I learnt technical
details about TCP connection, DDoS attack and SYN attack in details. There are plenty of
information available on internet on these three topics. People have actually put in great effort to
explain the topics on youtube website. Video tutorial helped me learn topics in less time. I found
some videos related on how perform SYN flood attack using Scapy tool also. During the first
iteration I clearly understood how SYN flood attack exploits the TCP handshake protocol.
During the course of information gathering, I came to know how SYN flood attack is performed.
I just need to change the parameters of TCP packet to carry out the attack and if the victim has

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

30

not deployed a good DDoS protection security measure then services will become unavailable.
During the course of first iteration, I realized that it is very easy to carry out SYN flood attack.
Anyone with basic knowledge about networking can perform this attack. Hence it becomes very
important for organization to deploy sufficient controls to protect itself from such attacks.
I was able to experience TCP handshake live in Wireshark network analyzer tool. I also
experienced other attributes of TCP connection in Wireshark. I can see what all activities are
going in my network using Wireshark. I intend to capture the SYN flood attack using Wireshark
tool only. During the SYN flood attack condition, there will be multitude of half open SYN
connection which will be shown in the different color in the Wireshark.
After learning about basics of SYN flood attack, I am ready to learn Python and Scapy
tool in second iteration. Knowledge of SYN flood attack along with necessary tools are
important to carry out the SYN flood attack. Hence, actual objective of project will start from
third iteration onwards. First and second iteration are just preparation for third and fourth
iteration.

Second Iteration: Learning Python language and Scapy tool

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

31

In the project, SYN flood attack will be carried out using Python language and Scapy tool
and hence it is very important that required knowledge of these two software is obtained before
proceeding ahead with actual objective of project. Hence, in second iteration, Python language
and Scapy tool will be learnt. Only the relevant module of the language will be learnt. Online
tutorials are easily available to learn Python language and Scapy tool. Learning videos are also
available on www.youtube.com.
Plan phase
Like first iteration, second iteration will be dedicated to learning two language i.e. Python
and SCAPY, so planning phase can be divided into following two major parts:
a. Learning Python programming language
In order to carry out SYN flood attack, it is important to learn Python language. Python is a high
level programming language. Scapy tool is also written in Python language, so basic knowledge
about Python language is a must. While learning Python, emphasis will be given on learning
following things
1. How to install Python in Ubuntu
2. How to import Scapy tool for sending packet
3. How to send IP packet
4. How to repeatedly send packet for SYN flood.
Internet is best place to learn about Python as many online tutorials are available.
www.youtube.com is flooded with many videos on learning Python. Official website of Python
i.e. www.python.org is also full of tutorial on learning Python from basic to advanced level.
Other online blogs, tutorial and website will also be read.
b. Learning Scapy tool
Though Python is base programming language for Scapy tool, manipulating a
packet will take more time in Python. Scapy simplifies packet manipulation for us. Instead
of writing lengthy codes in Python, packet can be manipulated in few lines in Scapy. Once
packet has been modified in Scapy, Python will be used to send repeatedly to attack the

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

32

victim computer. Hence, Scapy and Python will work in sync to carry out SYN flood
attack. Again, videos on www.youtube.com will be watched to learn about Scapy. Scapy
official website http://www.secdev.org/projects/scapy/ also contains information about
learning it. Other online blogs, tutorial and website will also be read. Following things will
be learnt in Scapy:
1. Installing Scapy
2. How to craft packet
3. How to manipulate packets
4. How to send packtet
Action phase
In response to the plan drafted in previous phase, I surfed internet daily for around 2-3
hours. During surfing, I studied a lot about Python and Scapy in detail. Website I visited for
learning Python is as follows:
a.
b.
c.
d.

www.python.org
http://www.learnpython.org/
http://www.tutorialspoint.com/python/
http://learnpythonthehardway.org/book/

YouTube videos which I watched are as follows:


a. https://www.youtube.com/watch?v=4Mf0h3HphEA&list=PLEA1FEF17E1E5C0DA
This video is title as Python Programming Tutorial - 1 - Installing Python.
b. https://www.youtube.com/watch?v=cpPG0bKHYKc - This video is title as Python
Beginner Tutorial 1 (For Absolute Beginners).
c. https://www.youtube.com/watch?v=41qgdwd3zAg - This video is title as Python
Tutorial for Beginners 1 - Getting Started and Installing Python (For Absolute
Beginners).
d. https://www.youtube.com/watch?v=fQRiqIh0YbY This video is title as how to install
Python on Ubuntu.
For learning Scapy tool, I visited following website
a. http://www.secdev.org/projects/scapy/

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

33

b. http://bt3gl.github.io/black-hat-python-infinite-possibilities-with-the-scapy-module.html
c. https://theitgeekchronicles.files.wordpress.com/2012/05/scapyguide1.pdf
d. http://packetlife.net/blog/2011/may/23/introduction-scapy/
Videos which I watched on www.youtube.com are as follows:
a. https://www.youtube.com/watch?v=iNuBNgVAKg4&list=PLjfsellyFtTbS
IZuHAPBRtcP2qLSzwdJ - This video is title as Scapy / Kivy Series - 1 (Overview).
b. https://www.youtube.com/watch?v=-s4iyNSxs1k - This video is title as Python Tutorial:
Python Network Programming - Scapy. Creating your own packets.
c. https://www.youtube.com/watch?v=XdBugGkKpOs&list=PLakZBnF3tshsyU1hiM3KCh9Mv7hRMguo - This video is title as Scripting Wi-Fi
Pentesting Tools in Python - Scapy Basics.
d. https://www.youtube.com/watch?v=m2Osz4km7S8 - This video is title as scapy
tutorial.

Observation phase
During the process of learning Python and Scapy, I observed following:
a. Install Python in Ubuntu Generally Ubuntu come pre-installed with Python 2 and
Ubuntu 3, but if it is not installed, then following command will be used to install
Python (python basic syntax, n.d.) :
Sudo apt-get install libreadline-dev
Sudo apt-get install libsqlite3-dev
Sudo apt-get install libbz2dev
Sudo apt-get install libssl-dev
Now python package is required to be downloaded and unzipped. After that following
command is run:
./configure
Make j
Sudo make install
b. Command used to import Scapy tool for sending packet (download and installation,
n.d.)
From scapy.all import
c. Command used to send IP packet

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

34

Sr1();
d. Command used to repeatedly send packet for SYN flood (python basic syntax, n.d.)
A while loop can be created.
e. Installing Scapy First latest version of Scapy is required to be downloaded into the
temp directory and after that following commands are needed to be run with root
privileges (download and installation, n.d.):
$ cd /tmp
$ wget scapy.net
$ unzip scapy-latest.zip
$ cd scap-2*
$ sudo python setup.py install
There are other ways to execute this downloaded zip file.
f. Crafting and manipulating packet Different parameters can be modified after
creation of object for sending packet (usage, n.d.)
Reflection phase
In the second iteration, I learnt Python and Scapy in details. During my online research, I
gathered all relevant commands which are required to do SYN flood attack. I achieved all the
outcome of plan phase. Surprisingly, while learning Python, I noticed that it is very easy to learn
inspite of the fact I do not possess programming skills. Python programming language is a high
level language which simplifies the code. During research I found that for crafting and
manipulating packet, other programming language may need upto 200 lines of codes, while same
can be done in 10-20 lines in Scapy. Hence, scapy saves time as well as efforts.
As far as project requirement was concerned, I was needed to focus more on working of
Scapy than the Python. Python will be used only for sending repeatedly packet, while creating
and modification of packet will be carried out in Scapy itself. I did not find any problem in
learning Scapy as the internet is full of study material on Scapy. When I entered Scapy in the
Google search bar, I got 185,000 results. While searching for Python, I got more than 1,600,000
results. Even on YouTube, many results popped up when searched for Python and Scapy. People

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

35

have posted working tutorial on Youtube for learning the Scapy, so it was very easy for me to
learn.
Since Scapy is built in Python only, integration of both is very seamless. Even, if some
modification is required, same can be done by modifying Scapy libraries. But as far as project
requirement is concerned, I am not required to modify Scapy library. All the existing commands
can be used to carry out the attacks. Hence, after learning Python and Scapy in iteration 2, SYN
flood attack will be carried out in iteration 3.

Third Iteration Performing SYN flood attack using Python and Scapy tool in a
virtualized environment.

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

36

In the third iteration of project, actual SYN flood attack will be carried out. Linux virtual
machines will be created wherein one virtual machine will play the role of attacker and another
machine will play the role of victim. TCP packet will be manipulated using Scapy and will be
repeated sent using python script. Scapy allows altering of various parameters of TCP packet.
Once packet has been manipulated, it will be sent repeatedly on target server via a Python script
for carrying out attack.
Plan phase
As third iteration is dedicated towards simulating SYN flood attack, plan phase will
consist of following parts:
1. Preparing Virtual environment - Attack will be simulated in virtual environment, so
virtual machines are required to be prepared. It is planned to install VMware
hypervisor for creating virtual machines. Once VMware is installed, then two Ubuntu
Operating system will be installed on these two virtual machines. Victim machine will
be installed with Wireshark to capture the network traffic.
2. Installation of Python Attacker machine will be installed with Python programming
language, if it does not come pre-installed with it. Python is must to be installed,
otherwise Scapy will not run.
3. Installation of Scapy After Python is installed, latest version of Scapy tool will be
downloaded and installed.
4. Gathering information about listening ports on target machine While carrying out
attack it is important that open or listening ports on victim machines is known. If
packets are sent on not-listening ports, then packets will be dropped and SYN flood
attack may not happen.
5. Creation of packet in packet After detail about listening port is known, packet will
be crafted in Scapy and send to victim machines

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

37

6. Sending packet in repeated interval Python script will be prepared which will
repeatedly send above crafted packet to victim machine.
7. Capturing the attack on Wireshark To show that attack has happened, network
packets will be captured on Wireshark network monitoring tool. In Wireshark, half
open TCP connection will be visible.
Action phase
In response to the plan drafted in previous phase, action with following details was
performed:
1. Preparing Virtual environment - VMware 11.0 was installed on my laptop. After
installation of VMware, two virtual machines with following details were created:
S.No.

Name of virtual

IP address

RAM

Hard disk

machine
Attacker

192.168.136.1

3 GB

100 GB

Victim

38
192.168.136.1 3 GB
Table 1: Details of Virtual machines

100 GB

2. Installation of Python Ubuntu 14.10 come pre-installed with Python language.


Following commands were run to check whether python was installed on it or not:
Python -v
3. Installation of Scapy Following commands were run to install Scapy in Attacker
machine:
$ cd /tmp
$ wget scapy.net
$ unzip scapy-2.3.1.zip
$ cd scap-2*
$ sudo python setup.py install
4. Gathering information about listening ports on target machine I have run netstat
a command in target machine to see which ports are listening. I found target is
listening so I decided to use port 49907 for attacking.
5. Creation of packet in packet Packet were created with following details:
>>> i=IP () # defining object i for IP

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

38

>>> i.src=192.168.136.138 # defining source IP address


>>> i.dst=192.168.136.1 # defining destination IP address
>>> i.display() # displaying IP address
>>> t=TCP() # defining object t for TCP packet
>>> t.sport = 49907 # defining source port as 49907
>>> t.dport = 49907 # defining destination port as 49007
>>> t.flag=S # setting flag as SYN
>>> t.diplay() # displaying TCP packet
>>> sr1(i/t) # sending one packet and waiting for answer.
6. Sending packet in repeated interval Following python script was written to send the
packet and saved with name syn_flood.py:
#! /usr/bin/python
from scapy.all import *
i=IP()
i.src="192.168.136.138"
i.dst="192.168.136.1"
t=TCP()
t.sport=49907
t.dport=49907
t.flags="S"
x=1
while x<2:
send(i/t)
Command used to send above script is as follows:
Python syn_flood.py
7. Capturing the attack on Wireshark And lastly half open connection were captured
on Wireshark. Wireshark will be flooded with SYN packet entries from attackers IP.
Observation phase
Screenshots while performing steps mentioned in planning phase is as follows:

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Figure 2: VMware software installation

Figure 3: Attacker's Virtual machine

39

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Figure 4: Victim's virtual machine

Figure 5: Checking Python Version

40

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Figure 6: Downloading Scapy tool on Ubuntu machine

Figure 7: Scapy Installation - Unzipping zip file

41

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Figure 8: Scapy installation

Figure 9: Scapy installation complete

42

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Figure 10: Single Packet crafting for SYN attack

Figure 11: Sending single packet

43

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Figure 12: Output of single SYN flood packet

Figure 13: Writing Python script for Attacking

44

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Figure 14: Running Python script

45

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

46

Figure 15: Continuous loop in python script

Figure 16: SYN flood attack as captured in Wireshark

Reflection phase
Third iteration was the main iteration of whole project, as in this iteration, actual attack
was performed. In earlier two iterations, information and knowledge about tools, software, SYN
flood and TCP concepts were gathered, but in this iteration only, that knowledge was put into
action. I was successfully able to perform SYN flood attack on a virtual machine. Infinite loop
was created in Python to send crafted packet to target machine. Python script can be modified to
send packets at other chosen interval. Python script can be modified to send like 100 packets
after every 5 seconds. Python scripts can also be modified to spoof attacker IP address. Since,
Scapy gives option of modifying source IP address. A script can be created which will modify the
source IP address based on few conditions like time.
One thing I noticed that I was not able to control the rate at which packets are sent. As
seen in the Wireshark capture, packets were sent at approximate interval of 0.02 seconds. May be

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

47

it is limited to processing amount taken by Python language to compile. To increase the rate at
which attack is carried out, I need better processing power computer or more number of
computers. In real world, only one computer is not enough to bring down the target machines.
Multitudes of machines are used in tandem with each other to perform distributed denial of
service attack. So in our case, if we want to bring down the victim computer totally, then it is
required to use more than one computer. Exact number of computers will depend upon the
capacity of victim machine.
In third iteration I created and modified packets to simulate a basic level of SYN flood
attack on virtual machines. Attack was successful as seen from Wirshark capture. Now in fourth
and final iteration, preventive measure will be implemented in target machine to stop such kind
of SYN flood attack.
Fourth Iteration SYN flood attack using IP table features in Linux based machines
In the last iteration of project, for prevention of attack, I will create a shell script to
automatically update the field of IP tables based on certain parameters. IP tables serves as kernel
level Firewall. It allows users to configure the firewall of server. So shell script will autoconfigure the IP tables based on number of SYN request from a single IP address. After the
threshold number has been reached, server will reject the future suspicious TCP connections
from that IP addresses with TCP RST flags for certain duration of time. Through this method,
server can avoid potential SYN flood attacks. Project will be said completed once script
successfully prevents SYN flood attack.
Plan phase
Fourth iteration will be shorter than rest of previous three iterations. Hence, planning
phase of fourth iteration will consist of following parts:

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

48

1. Learning basic shell commands Before writing the shell scripts, it is required to
gather function and details about basic shell commands which will be used in writing
script.
2. Writing of shell scripts to prevent SYN flood attack A shell script will be written to
prevent SYN flood attack by updating IP tables automatically. IP tables serves as
kernel level Firewall. If a connection attempt is made for more than 50 times from a
single IP address, then this script will update IP tables to reset that connection instead
of sending SYN-ACK flag. This solution will reject all the suspicious TCP
connections with TCP RST Flag i.e. reset packet to prevent the potential DDOS
scenario.
3. Running of shell script Once shell script is written, same will be run in terminal
window of Ubuntu. Shell script will run in background and continuously check for
SYN flood. We can specify some time also when script should not run. Once an
attack has been prevented, shell script can stop for time being.
4. Checking whether script is functioning properly Script will be checked by
Wireshark. Wireshark should show that RST flag is set after 50 attempts from a single
IP address. Wireshark can monitor the traffic from virtual adapter also.
Action phase
In response to the plan drafted in previous phase, action with following details was
performed:
1. Learning basic shell commands I searched randomly on internet about shell commands
and found information about basic commands to be used in while writing shell scripts.
2. Writing of shell scripts to prevent SYN flood attack Following shell script with name
shell_SYN.sh was written:
> /var/log/SYN.log
> /tmp/temp1.txt

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

49

> /tmp/temp2.txt
trap "echo ;echo Caught EXIT signal;
iptables -F;echo Iptables entries cleared;echo
HaX0R SVP" EXIT
while true;
do
date >> /var/log/SYN.log
netstat | grep -E "ssh|www" | grep -iv ESTABLISHED | cut -d : -f 1 | sort | uniq -c >>
/var/log/SYN.log
for pip in `netstat | grep -E "ssh|www" | grep -iv ESTABLISHED | | cut -d : -f 1 | sort |
uniq`
do
conntrack=`netstat | grep -E "ssh|www" | grep -iv ESTABLISHED | cut -d : -f 1 | grep
$pip | wc -l`;
while read line
do
if [ "$line" = "$pip" ]
then
continue 2
fi
done < /tmp/temp2.txt
if [ "$conntrack" -gt "50" ]
then
iptables -I INPUT -s $pip -p tcp -j REJECT --reject-with tcp-reset

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

50

echo "$pip" >> /tmp/temp1.txt


fi
done
cat /tmp/temp1.txt | sort | uniq > /tmp/temp2.txt
sleep $1
done
3. Running of shell script Shell script was run with following command:
mohan@ubuntu:-$ su root
password:
root@ubuntu:/home/mohan# chmod u+x shell_SYN.sh
4. Checking whether script is functioning properly Captured packet from Wireshark. It
was found that shell script was working properly and after 50 attempts, connection was
reset.

Observation phase
The outputs of commands run in action phase are as follows:

Figure 17: Writing shell script

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

Figure 18: Running shell script

Figure 19: Prevention of SYN flood attack


Reflection phase

51

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

52

Successful prevention of SYN flood in fourth iteration marked the completion of project.
In fourth iteration, shell script was written to dynamically stop SYN flood. This script works on
simple logic that if number of connection attempts from a single IP address exceeds the threshold
then that IP shall be pronounced as rogue IP and should be moved to different list. IP tables are
automatically uploaded to send reset flag for further communication from that IP address. Shell
script can also help in preventing distributed denial of service attack (DDOS). But in real
environment, speed and number of attacker computers are very high in numbers, so IP tables
based prevention technique may not be that much effective due to limited resources of target
machines. Generally, target machine are running with some other service also, typically web
service and hence most of computation resources are dedicated to running web services only. In
that case, computational power left for preventing SYN flood using IPtables may not be
sufficient. IP tables are not the only way to prevent SYN flood attack. There are some third party
software and hardware which can be deployed to stop SYN flood.
During the course of this project, I learnt many new technologies, tools, software and one
hacking technique. I learnt how TCP Handshake works. Apart from TCP concepts, I gathered
information about SYN flood and ways to carry out Syn flood attack. Consequently, I learnt
Python and Scapy tools. Before starting of project, I was under the impression that network
packets cannot be manipulated but after working with Scapy tool, but I realized that I was wrong.
I also learnt about IPtables in Linux. IPtables are a small utility but very powerful firewall
feature. I learnt the features of shell script. I came to know that for functions which are not inbuilt, shell scripts can be written to achieve the desired functions from Linux based machines.
Overall, project has been successful and I was able to achieve desired outcome of project
for which I chose this topic. Because of huge amount of reading material available over internet,
I never felt the need of tutor.

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

53

References
Barker, K. (2013, March 13). MicroNugget: Preventing TCP Syn-Flood attacks [Video file].
Retrieved from https://www.youtube.com/watch?v=AqY3UxXyQTY
Cisco. (2005, August 10). TCP/IP Overview. Retrieved from
http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/137695.html
Denial-of-service attack. (2016). Retrieved February 12, 2016, from Wikipedia:
https://en.wikipedia.org/wiki/Denial-of-service_attack
Denial of service attacks. (n. d.). Retrieved from https://www.incapsula.com/ddos/ddosattacks/denial-of-service.html
Dick, B. (2010). Action research literature 2008-2010: Themes and trends. Action
Research, 9(2), 122-143.
Dick, B., Stringer, E., & Huxham, C. (2009).Theory in action research. Action Research,7(1), 512.
Dittrich, D. (1999). The DoS Projects trinoodistributed denial of service attack tool.
Distributed Denial of Service Prevention Techniques, 1-20.
Download and installation. (n.d.). Download and installation. Retrieved from
http://www.secdev.org/projects/scapy/doc/installation.html
Gangte, T. (2014, March 21)SYN flood attacks-"How to protect" [Blog post]. Retrieved from
https://hakin9.org/syn-flood-attacks-how-to-protect-article/
George, H. (2008). New directions of hope. Regional Studies, 12-54.
Google ideas. (2013, October 21). Distributed denial of service attacks [Video file]. Retrieved
from https://www.youtube.com/watch?v=0VutW15kEZM

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

54

Gu, Q., & Liu, P. (2007). Denial of service attacks. Handbook of Computer Networks:
Distributed Networks, Network Planning, Control, Management, and New Trends and
Applications, 3, 454-468.
Gupta, V., Krishnamurthy, S., & Faloutsos, M. (2002, October). Denial of service attacks at the
MAC layer in wireless ad hoc networks. In MILCOM 2002. Proceedings (Vol. 2, pp. 11181123). IEEE.
Hussain, A., Heidemann, J., & Papadopoulos, C. (2003, August). A framework for classifying
denial of service attacks. In Proceedings of the 2003 conference on Applications,
technologies, architectures, and protocols for computer communications (pp. 99-110).
ACM.
Jung, J., Krishnamurthy, B., & Rabinovich, M. (2002, May). Flash crowds and denial of service
attacks: Characterization and implications for CDNs and web sites. In Proceedings of the
11th international conference on World Wide Web (pp. 293-304). ACM.
Juniper Networks Inc. (March 16, 2015). Understanding SYN flood attacks. Retrieved from
http://www.juniper.net/documentation/en_US/junos12.3x48/topics/concept/denial-ofservice-network-syn-flood-attack-understanding.html
Keen, P. (1991). Relevance and rigor in information systems research: Improving quality,
confidence, cohesion and impact. In H. E. Nissen, H. Klein, & R. Hirschheim (Eds.)
Information Systems Research: Contemporary Approaches & Emergent Traditions (pp. 2749). Amsterdam: Holland.
Kozierok, C. M. (2005).Transmission Control Protocol (TCP) and User Datagram Protocol
(UDP). Retrieved from
http://www.tcpipguide.com/free/t_TCPIPTransportLayerProtocolsTransmissionControlPro.
htm

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

55

Lau, F. & Hayward, R. (2000).Building a virtual network in a community health research


training program. Journal of the American Medical Informatics Association, 7(4), 361-377.
Lau, F., Rubin, S. H., Smith, M. H., & Trajkovi, L. (2000). Distributed denial of service attacks.
In Systems, Man, and Cybernetics, 2000 IEEE International Conference on (Vol. 3, pp.
2275-2280). IEEE.
Lewis, K. (1946). Action research and minority problems. Journal of Social Issues, 34-46.
London: The Falmer Press. Research,9(2), 122-143.
Moore, D., Shannon, C., Brown, D. J., Voelker, G. M., & Savage, S. (2006). Inferring internet
denial-of-service activity. ACM Transactions on Computer Systems (TOCS), 24(2), 115139.
Python basic syntax. (n.d.). Python basic syntax. Retrieved from
http://www.tutorialspoint.com/python/python_basic_syntax.htm
Raymond, D. R., & Midkiff, S. F. (2008). Denial-of-service in wireless sensor networks: Attacks
and defenses. Pervasive Computing, IEEE, 7(1), 74-81.
Rouse, M. (2013, May). Distributed denial-of-service attack (DDoS) [Blog post]. Retrieved from
http://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack
Runscape weekly. (2015, February 14). DDoS (distributed denial of service) attacks explained
[Video file]. Retrieved from https://www.youtube.com/watch?v=vicKkwRgsdE
Sandra, H. (1997). International Action Research: A Casebook for Educational Reform.
London: The Falmer Press.
Schuba, C. L., Krsul, I. V., Kuhn, M. G., Spafford, E. H., Sundaram, A., & Zamboni, D. (1997,
May). Analysis of a denial of service attack on TCP. In Security and Privacy, 1997.
Proceedings., 1997 IEEE Symposium on (pp. 208-223). IEEE.

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

56

Shevtekar, A., Anantharam, K., & Ansari, N. (2005). Low rate TCP denial-of-service attack
detection at edge routers. Communications Letters, IEEE, 9(4), 363-365.
Sisalem, D., Kuthan, J., & Ehlert, S. (2006). Denial of service attacks targeting a SIP VoIP
infrastructure: attack scenarios and prevention mechanisms. IEEE Network, 20(5), 26-31.
Susman, G. I. (2009). Action research: A sociotechnical systems perspective. London: Sage
Publication.
Tesch, R. (2010). Qualitative Research: Analysis Types and Software Tools. New York: The
Falmer Press.
Trist, E. (2012). A Concept of Organizational Ecology. Australian Journal of Management , 1790.
Sourcefire. (2013, April 2). Denial of service attacks (part 3): TCP SYN flooding [Video file].
Retrieved from https://www.youtube.com/watch?v=sUrM7_G_y7A
SYN flood (2013). Retrieved February 11, 2016, from Wikipedia:
https://en.wikipedia.org/wiki/SYN_flood
Transmission Control Protocol. (2016). Retrieved February 12, 2016, from Wikipedia:
https://en.wikipedia.org/wiki/Transmission_Control_Protocol
Usage. (n.d.). Usage. Retrieved from http://www.secdev.org/projects/scapy/doc/usage.html
US-CERT. (2013, February, 6). Security tip (ST04-015): Understanding denial-of-service
attacks. Retrieved from https://www.us-cert.gov/ncas/tips/ST04-015
Weisbord, M. (2015). Discovering Common Ground: How Future Search Conferences Bring
People Together To Achieve Breakthrough Innovation, Empowerment, Shared Vision, and
Collaborative Action. San Francisco: Berret-Koehler Publishers, Inc, 23-76
Winter, R. (2010). Action-Research and the Nature of Social Inquiry: Professional Innovation
and Educational Work. Aldershot: Gower Publishing Company, 98-108.

PREVENTION OF SYN FLOOD ATTACK USING IP TABLES

57

Wood, A. D., & Stankovic, J. A. (2002). Denial of service in sensor networks. Computer, 35(10),
54-62.

You might also like