1
IDIC – SANS GIAC LevelTwo
©2000, 2001
1
Hacking from a network
SYN flood and TCP Sequence
number prediction attacks
Greetings. This is the oldie, but goody section of the course. This next section is important for a
number of reasons.
If you think about it, attacks occur in stages. In general the attacker has to perform reconnaissance to
hone in on the target, to find the weaknesses. Then there will be an initial attack, this is often
minimal, in the book Network Intrusion Detection we referred to this as the “grappling hook”.
Finally, the attacker completes the kill. This attack shows each of these stages.
This attack took 16 seconds to complete. When we were discussing automated response, we used 16
seconds as a measuring rod. How fast can you run? How fast can you type?
Finally, you really can’t run around in intrusion detection circles if you are not familiar with the so-
called Mitnick attack.
2
IDIC - SANS GIAC LevelTwo
©2000, 2001
2
What we will cover
•TCP SYN
–Review of TCP
–Theory of attack
–Implementation
• IP SPOOF
–Theory of attack
– Implementation details
–Tsutomu Shimomura example
The information on the Mitnick attack is drawn primarily from Shimomura’s post on the subject.

The initial header of the news posting is shown below.
Source: (Tsutomu Shimomura), comp.security.misc Date: 25 Jan 1995
**************************************************************************
There seems to be a lot of confusion about the IP address spoofing and connection hijacking attacks
described by John Markoff's 1/23/95 NYT article, and CERT advisory CA-95:01. Here are some
technical details from my presentation on 1/11/95 at CMAD 3 in Sonoma, California.
3
IDIC – SANS GIAC LevelTwo
©2000, 2001
3
It’s a SYN!
SYN attacks, theory and
implementation
We want to introduce the notion of an “elegant” SYN flood. The basic approach here is to take
advantage of an engineering decision to have a fixed resource allocation and to use more of the
resource than the designers expected, and/or to take advantage of consequences from using more of
the resource. During this section of the course we are going to make several references to layering.
Please consider this refresher from your TCP section in the trace shown below starting with an IP
header:
4500 0030 dddf 0000 3406 b94c a63e 5cd7 C0A8 0101 12e8 0438 0387 1f33 0000 0000 7002 2000
3d45 0000 0204 0218 0101 0402
As you know the IP header is 20 bytes, the second digit as a 5 tell us there are no options set for this
header. The IP header:
4500 0030 dddf 0000 3406 b94c a63e 5cd7 C0A8 0101
Has no idea how to interpret the higher layer, the TCP header. It doesn’t know the DEST port is
1080 (socks or wingate) as shown by the 0x0438. If something goes wrong at this layer, at most, the
IP layer will encapsulate part of the message in an ICMP packet and return it.
4
IDIC - SANS GIAC LevelTwo
©2000, 2001

4
TCP Header - SYN Flag
Data
Frame Header
IP Datagram Header
Data
Data
TCP Header
Source
Port
Sequence
No.
Destination
Port
ACK
No.
HDR
Length
Flags
A
C
K
Window
Size
Check-
sum
Urgent
Offset
Options
U

R
G
P
S
H
S
Y
N
R
S
T
F
I
N
20 Bytes
We may also refer to a SYN packet as an active open
As you know, the SYN is located on byte 13 of the TCP Header, the pattern we see for byte 13 in our
sample trace is 0x02 in the block 0x7002.
4500 0030 dddf 0000 3406 b94c a63e 5cd7 C0A8 0101 12e8 0438 0387 1f33 0000 0000 7002 2000
3d45 0000 0204 0218 0101 0402
Again as we move forward in this section, it will be important to establish that the IP header will
never care that a higher level protocol is sending a SYN.
TCP cares though in a big way and as you know would respond with a SYN/ACK if it was an open
port and it was willing to talk on that port. Once the server sends the SYN/ACK, the server is
committed to the connection, and the connection is considered established.
5
IDIC - SANS GIAC LevelTwo
©2000, 2001
5
Server Memory

• TCP is stateful, so the server must
keep track of all these various
condition states and sequence
numbers, in BSD:
– Socket stuff (program interface to
networking)
– IP stuff
– TCP stuff
For the server to commit to the connection it has to allocate memory since this is a stateful
connection.
When was TCP invented? How much memory could you buy on a system in 1982? The protocol
designers felt they had to set limits.
/* Optional Sidebar
/>"The Internet is an outgrowth of a project from the 1970's by the US Department of Defense
Advanced Research Projects Agency (ARPA). The ARPANET, as it was then called, was designed
to be a non-reliable network service for computer communications on over wide area. In 1973 and
1974, a standard networking protocol, a communications protocol for exchanging data between
computers on a network, emerged from the various research and educational efforts involved in this
project. This became known as TCP/IP or the IP suite of protocols. The TCP/IP protocols enabled
ARPANET computers to communicate irrespective of their computer operating system or their
computer hardware. */
6
IDIC - SANS GIAC LevelTwo
©2000, 2001
6
Structure
struct ip {
#if defined(bsd)
u_char ip_hl:4, /* header length */
ip_v:4; /* version */

#endif
#if defined(powerpc)
u_char ip_v:4, /* version */
ip_hl:4; /* header length */
#endif
u_char ip_tos; /* type of service */
short ip_len; /* total length */
u_short ip_id; /* identification */
short ip_off; /* fragment offset field */
#define IP_DF 0x3000 /* dont fragment flag */
#define IP_MF 0x4000 /* more fragments flag */
u_char ip_ttl; /* time to live */
u_char ip_p; /* protocol */
u_short ip_sum; /* checksum */
struct in_addr ip_src, ip_dst; /* source and dest address */
};
All it takes is memory (and plenty of it)
If you aren’t a C programmer, don’t worry. A struct, in this case struct ip, can be thought of as a
database record and the items inside as fields for that record. Every time a new connection is
processed, these structs have to be created for socket, ip, and other protocol information. That takes
memory. Since memory is finite and was particularly limited during the early days of IP network
implementation, limits had to be set. The SYN flood attack exploits the limit of the number of
connections that are waiting to be established.
7
IDIC - SANS GIAC LevelTwo
©2000, 2001
7
Resources are finite
• Either the system would continue to
allocate memory each time a TCP

connection is established, (SYN packet is
received), OR
• Establish a finite number of concurrent
connections with a waiting queue of
stuff still in the 3 way handshake phase,
(not yet established connections). This
queue is fairly small (5 - 10).
The designers of TCP protocol stacks had a decision to make and they chose to make a small number
of connections waiting to happen. I wanted to remind you of the three-way hand shake in hopes of
getting you to think about all the things that have to happen. If you consider the struct on the
previous slide, think about the resources required, there are 12 fields in an IP header alone. The TCP
header has options set so it has more than a minimum number of 15. This is one reason a server is
never committed to a connection simply because it receives a SYN!
Back then, believe it or not the Internet was not 100% reliable as it is today ☺ and they decided to
prioritize established connections over connections waiting to be established. That was perfectly
reasonable.
8
IDIC - SANS GIAC LevelTwo
©2000, 2001
8
More on state
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 gumby.3064 nntp.nntp ESTABLISHED
tcp 0 0 gumby.3049 192.215.107.72.http CLOSE_WAIT
tcp 0 0 gumby.3047 192.215.107.72.http CLOSE_WAIT
tcp 0 0 gumby.1019 joatmon.login ESTABLISHED
tcp 56 0 gumby.3386 128.10.17.72.ftp CLOSE_WAIT
tcp 0 0 gumby.1022 mmm.login ESTABLISHED
tcp 0 0 gumby.1423 el98.telnet ESTABLISHED

tcp 0 0 gumby.1023 vicegrep.login ESTABLISHED
tcp 0 0 *.6000 *.* LISTEN
tcp 0 0 *.2000 *.* LISTEN
tcp 0 0 *.domain *.* LISTEN
tcp 0 0 *.time *.* LISTEN
tcp 0 0 *.login *.* LISTEN
tcp 0 0 *.shell *.* LISTEN
tcp 0 0 *.telnet *.* LISTEN
tcp 0 0 *.ftp *.* LISTEN
tcp 0 0 *.730 *.* LISTEN
tcp 0 0 *.sunrpc *.* LISTEN
NOTE: queues, state, think memory
As we continue to set the stage we see a system with connections in a variety of states. See the
CLOSE_WAIT? That is waiting for an acknowledgement of a FIN. The LISTENS are active ports
or services waiting for an incoming packet..
This is the output of netstat -a on a Unix system though you can type the same command on
Windows and we recommend you try it from time to time, it can be very educational. This is to
demonstrate that a connected system may have multiple active connections at one time, each
requiring memory.
NOTE: some security professionals do not fully trust the output from Windows netstat. There is a
replacement netstat on securify.packetstorm.com that you might want to evaluate.
9
IDIC - SANS GIAC LevelTwo
©2000, 2001
9
Getting down to it
Data
Listening service
SYN
socket{}

ip{}
tcp{}
Data
SYN/ACK
Until timeout
When an attacker sets up a SYN flood, he has no intention of completing the three-way handshake
and actually establishing the connection. Rather, the goal is to exceed the limits that are set for the
number of connections waiting to be established. This can cause the system under attack to be
unable to establish any additional connections until the number of waiting connections drops below
the threshold. Until the threshold limit is met, each SYN packet generates a SYN/ACK that stays in
the queue, which is generally between five and ten total connections waiting to be established.
There is a timer for each connection, a limit to how long the system will wait for the connection to be
established. The hourglass in your slide represents the timer that is usually set for about a minute.
When the time limit is exceeded, the memory that holds the state for that connection is released and
the queue is decremented by one. Once the limit has been reached, the queue can be kept full,
preventing the system from establishing new connections with about ten packets per minute.
10
IDIC - SANS GIAC LevelTwo
©2000, 2001
10
Basics of the SYN attack
• SYN, but do not complete 3 Way
handshake
• Make server believe a non existent host
is the client (host unreachable) by IP
Spoofing, so the SYN/ACKs go nowhere.
• Only takes a few (5 - 10) SYNs to seal
off a service for the period of the timer,
60 - 100 seconds
Now we are down to the close, the attacker is taking advantage of the engineering tradeoff of

limiting the number of active queues. Older operating systems react very poorly to this condition
and are rendered unable to communicate. Yup, that is right, if their queue filled up because of
incoming packets they were unable to process outgoing packets on that service. This particular
problem is fixed on most modern operating systems.
11
IDIC - SANS GIAC LevelTwo
©2000, 2001
11
Duration of attack
6 - 10 SYNs every minute or so will disable
a service until the attacker decides to:
go away and SYN no more.
This was an elegant attack, for a small number of packets an attacker could freeze a particular
service on a host computer.
12
IDIC - SANS GIAC LevelTwo
©2000, 2001
12
IP Spoof Handwaving
• How do we spoof the target so that the
sender appears to be an unreachable
host?
– We need a real routable to, unreachable
host, such as a PC that gets turned off at
night and so forth.
– We need to assemble the packet ourselves
or else the OS would put in the correct SRC
Address.
If the spoofed computer was reachable it would send a packet with the RESET flag set. That, in
essence says: what are you talking about with a SYN/ACK ? I never asked for a connection. That

pattern is shown below.
06:44:09 srn.com.113 > 192.168.162.67.2226: S 761:761(0) ack 674
win 8192 06:44:09 192.168.162.67.2226 > srn.com.113: R 674:674(0)
win 0
When the target computer received the reset packet, it would simply release its connection and
recycle the memory. So what we must do now is create a forged packet. We must lie about our
source address as the sender, and claim we are some other IP address. This is often called spoofing.
The characteristics of this IP address are that it is valid, routable to, and not active or reachable.
Many sites have a large number of unused IP addresses and do not employ network address
translation. They tend to be the stars of this particular show.